1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 59 * ECDH support in OpenSSL originally developed by 60 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 61 */ 62 63 #ifndef HEADER_X509_H 64 #define HEADER_X509_H 65 66 #include <openssl/asn1.h> 67 #include <openssl/base.h> 68 #include <openssl/bio.h> 69 #include <openssl/cipher.h> 70 #include <openssl/dh.h> 71 #include <openssl/dsa.h> 72 #include <openssl/ec.h> 73 #include <openssl/ecdh.h> 74 #include <openssl/ecdsa.h> 75 #include <openssl/evp.h> 76 #include <openssl/obj.h> 77 #include <openssl/pkcs7.h> 78 #include <openssl/pool.h> 79 #include <openssl/rsa.h> 80 #include <openssl/sha.h> 81 #include <openssl/stack.h> 82 #include <openssl/thread.h> 83 #include <time.h> 84 85 #if defined(__cplusplus) 86 extern "C" { 87 #endif 88 89 90 // Legacy X.509 library. 91 // 92 // This header is part of OpenSSL's X.509 implementation. It is retained for 93 // compatibility but otherwise underdocumented and not actively maintained. In 94 // the future, a replacement library will be available. Meanwhile, minimize 95 // dependencies on this header where possible. 96 97 98 #define X509_FILETYPE_PEM 1 99 #define X509_FILETYPE_ASN1 2 100 #define X509_FILETYPE_DEFAULT 3 101 102 #define X509v3_KU_DIGITAL_SIGNATURE 0x0080 103 #define X509v3_KU_NON_REPUDIATION 0x0040 104 #define X509v3_KU_KEY_ENCIPHERMENT 0x0020 105 #define X509v3_KU_DATA_ENCIPHERMENT 0x0010 106 #define X509v3_KU_KEY_AGREEMENT 0x0008 107 #define X509v3_KU_KEY_CERT_SIGN 0x0004 108 #define X509v3_KU_CRL_SIGN 0x0002 109 #define X509v3_KU_ENCIPHER_ONLY 0x0001 110 #define X509v3_KU_DECIPHER_ONLY 0x8000 111 #define X509v3_KU_UNDEF 0xffff 112 113 struct X509_algor_st { 114 ASN1_OBJECT *algorithm; 115 ASN1_TYPE *parameter; 116 } /* X509_ALGOR */; 117 118 DECLARE_ASN1_FUNCTIONS(X509_ALGOR) 119 120 DEFINE_STACK_OF(X509_ALGOR) 121 122 typedef STACK_OF(X509_ALGOR) X509_ALGORS; 123 124 DEFINE_STACK_OF(X509_NAME_ENTRY) 125 126 DEFINE_STACK_OF(X509_NAME) 127 128 typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; 129 130 DEFINE_STACK_OF(X509_EXTENSION) 131 132 DEFINE_STACK_OF(X509_ATTRIBUTE) 133 134 // This stuff is certificate "auxiliary info" 135 // it contains details which are useful in certificate 136 // stores and databases. When used this is tagged onto 137 // the end of the certificate itself 138 139 DECLARE_STACK_OF(DIST_POINT) 140 DECLARE_STACK_OF(GENERAL_NAME) 141 142 DEFINE_STACK_OF(X509) 143 144 // This is used for a table of trust checking functions 145 146 struct x509_trust_st { 147 int trust; 148 int flags; 149 int (*check_trust)(struct x509_trust_st *, X509 *, int); 150 char *name; 151 int arg1; 152 void *arg2; 153 } /* X509_TRUST */; 154 155 DEFINE_STACK_OF(X509_TRUST) 156 157 // standard trust ids 158 159 #define X509_TRUST_DEFAULT (-1) // Only valid in purpose settings 160 161 #define X509_TRUST_COMPAT 1 162 #define X509_TRUST_SSL_CLIENT 2 163 #define X509_TRUST_SSL_SERVER 3 164 #define X509_TRUST_EMAIL 4 165 #define X509_TRUST_OBJECT_SIGN 5 166 #define X509_TRUST_OCSP_SIGN 6 167 #define X509_TRUST_OCSP_REQUEST 7 168 #define X509_TRUST_TSA 8 169 170 // Keep these up to date! 171 #define X509_TRUST_MIN 1 172 #define X509_TRUST_MAX 8 173 174 175 // trust_flags values 176 #define X509_TRUST_DYNAMIC 1 177 #define X509_TRUST_DYNAMIC_NAME 2 178 179 // check_trust return codes 180 181 #define X509_TRUST_TRUSTED 1 182 #define X509_TRUST_REJECTED 2 183 #define X509_TRUST_UNTRUSTED 3 184 185 // Flags for X509_print_ex() 186 187 #define X509_FLAG_COMPAT 0 188 #define X509_FLAG_NO_HEADER 1L 189 #define X509_FLAG_NO_VERSION (1L << 1) 190 #define X509_FLAG_NO_SERIAL (1L << 2) 191 #define X509_FLAG_NO_SIGNAME (1L << 3) 192 #define X509_FLAG_NO_ISSUER (1L << 4) 193 #define X509_FLAG_NO_VALIDITY (1L << 5) 194 #define X509_FLAG_NO_SUBJECT (1L << 6) 195 #define X509_FLAG_NO_PUBKEY (1L << 7) 196 #define X509_FLAG_NO_EXTENSIONS (1L << 8) 197 #define X509_FLAG_NO_SIGDUMP (1L << 9) 198 #define X509_FLAG_NO_AUX (1L << 10) 199 #define X509_FLAG_NO_ATTRIBUTES (1L << 11) 200 #define X509_FLAG_NO_IDS (1L << 12) 201 202 // Flags specific to X509_NAME_print_ex(). These flags must not collide with 203 // |ASN1_STRFLGS_*|. 204 205 // The field separator information 206 207 #define XN_FLAG_SEP_MASK (0xf << 16) 208 209 #define XN_FLAG_COMPAT 0 // Traditional SSLeay: use old X509_NAME_print 210 #define XN_FLAG_SEP_COMMA_PLUS (1 << 16) // RFC 2253 ,+ 211 #define XN_FLAG_SEP_CPLUS_SPC (2 << 16) // ,+ spaced: more readable 212 #define XN_FLAG_SEP_SPLUS_SPC (3 << 16) // ;+ spaced 213 #define XN_FLAG_SEP_MULTILINE (4 << 16) // One line per field 214 215 #define XN_FLAG_DN_REV (1 << 20) // Reverse DN order 216 217 // How the field name is shown 218 219 #define XN_FLAG_FN_MASK (0x3 << 21) 220 221 #define XN_FLAG_FN_SN 0 // Object short name 222 #define XN_FLAG_FN_LN (1 << 21) // Object long name 223 #define XN_FLAG_FN_OID (2 << 21) // Always use OIDs 224 #define XN_FLAG_FN_NONE (3 << 21) // No field names 225 226 #define XN_FLAG_SPC_EQ (1 << 23) // Put spaces round '=' 227 228 // This determines if we dump fields we don't recognise: 229 // RFC 2253 requires this. 230 231 #define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) 232 233 #define XN_FLAG_FN_ALIGN (1 << 25) // Align field names to 20 characters 234 235 // Complete set of RFC 2253 flags 236 237 #define XN_FLAG_RFC2253 \ 238 (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \ 239 XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS) 240 241 // readable oneline form 242 243 #define XN_FLAG_ONELINE \ 244 (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \ 245 XN_FLAG_SPC_EQ | XN_FLAG_FN_SN) 246 247 // readable multiline form 248 249 #define XN_FLAG_MULTILINE \ 250 (ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | \ 251 XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN) 252 253 DEFINE_STACK_OF(X509_REVOKED) 254 255 DECLARE_STACK_OF(GENERAL_NAMES) 256 257 DEFINE_STACK_OF(X509_CRL) 258 259 struct private_key_st { 260 int version; 261 // The PKCS#8 data types 262 X509_ALGOR *enc_algor; 263 ASN1_OCTET_STRING *enc_pkey; // encrypted pub key 264 265 // When decrypted, the following will not be NULL 266 EVP_PKEY *dec_pkey; 267 268 // used to encrypt and decrypt 269 int key_length; 270 char *key_data; 271 int key_free; // true if we should auto free key_data 272 273 // expanded version of 'enc_algor' 274 EVP_CIPHER_INFO cipher; 275 } /* X509_PKEY */; 276 277 struct X509_info_st { 278 X509 *x509; 279 X509_CRL *crl; 280 X509_PKEY *x_pkey; 281 282 EVP_CIPHER_INFO enc_cipher; 283 int enc_len; 284 char *enc_data; 285 286 } /* X509_INFO */; 287 288 DEFINE_STACK_OF(X509_INFO) 289 290 // The next 2 structures and their 8 routines were sent to me by 291 // Pat Richard <patr@x509.com> and are used to manipulate 292 // Netscapes spki structures - useful if you are writing a CA web page 293 struct Netscape_spkac_st { 294 X509_PUBKEY *pubkey; 295 ASN1_IA5STRING *challenge; // challenge sent in atlas >= PR2 296 } /* NETSCAPE_SPKAC */; 297 298 struct Netscape_spki_st { 299 NETSCAPE_SPKAC *spkac; // signed public key and challenge 300 X509_ALGOR *sig_algor; 301 ASN1_BIT_STRING *signature; 302 } /* NETSCAPE_SPKI */; 303 304 // TODO(davidben): Document remaining functions, reorganize them, and define 305 // supported patterns for using |X509| objects in general. In particular, when 306 // it is safe to call mutating functions is a little tricky due to various 307 // internal caches. 308 309 // X509_VERSION_* are X.509 version numbers. Note the numerical values of all 310 // defined X.509 versions are one less than the named version. 311 #define X509_VERSION_1 0 312 #define X509_VERSION_2 1 313 #define X509_VERSION_3 2 314 315 // X509_get_version returns the numerical value of |x509|'s version, which will 316 // be one of the |X509_VERSION_*| constants. 317 OPENSSL_EXPORT long X509_get_version(const X509 *x509); 318 319 // X509_set_version sets |x509|'s version to |version|, which should be one of 320 // the |X509V_VERSION_*| constants. It returns one on success and zero on error. 321 // 322 // If unsure, use |X509_VERSION_3|. 323 OPENSSL_EXPORT int X509_set_version(X509 *x509, long version); 324 325 // X509_get0_serialNumber returns |x509|'s serial number. 326 OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509); 327 328 // X509_set_serialNumber sets |x509|'s serial number to |serial|. It returns one 329 // on success and zero on error. 330 OPENSSL_EXPORT int X509_set_serialNumber(X509 *x509, 331 const ASN1_INTEGER *serial); 332 333 // X509_get0_notBefore returns |x509|'s notBefore time. 334 OPENSSL_EXPORT const ASN1_TIME *X509_get0_notBefore(const X509 *x509); 335 336 // X509_get0_notAfter returns |x509|'s notAfter time. 337 OPENSSL_EXPORT const ASN1_TIME *X509_get0_notAfter(const X509 *x509); 338 339 // X509_set1_notBefore sets |x509|'s notBefore time to |tm|. It returns one on 340 // success and zero on error. 341 OPENSSL_EXPORT int X509_set1_notBefore(X509 *x509, const ASN1_TIME *tm); 342 343 // X509_set1_notAfter sets |x509|'s notAfter time to |tm|. it returns one on 344 // success and zero on error. 345 OPENSSL_EXPORT int X509_set1_notAfter(X509 *x509, const ASN1_TIME *tm); 346 347 // X509_getm_notBefore returns a mutable pointer to |x509|'s notBefore time. 348 OPENSSL_EXPORT ASN1_TIME *X509_getm_notBefore(X509 *x509); 349 350 // X509_getm_notAfter returns a mutable pointer to |x509|'s notAfter time. 351 OPENSSL_EXPORT ASN1_TIME *X509_getm_notAfter(X509 *x); 352 353 // X509_get_notBefore returns |x509|'s notBefore time. Note this function is not 354 // const-correct for legacy reasons. Use |X509_get0_notBefore| or 355 // |X509_getm_notBefore| instead. 356 OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509); 357 358 // X509_get_notAfter returns |x509|'s notAfter time. Note this function is not 359 // const-correct for legacy reasons. Use |X509_get0_notAfter| or 360 // |X509_getm_notAfter| instead. 361 OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509); 362 363 // X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore| 364 // instead. 365 OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm); 366 367 // X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter| 368 // instead. 369 OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm); 370 371 // X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the 372 // issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly 373 // outputs |x509|'s subjectUID field to |*out_subject_uid|. 374 // 375 // Callers may pass NULL to either |out_issuer_uid| or |out_subject_uid| to 376 // ignore the corresponding field. 377 OPENSSL_EXPORT void X509_get0_uids(const X509 *x509, 378 const ASN1_BIT_STRING **out_issuer_uid, 379 const ASN1_BIT_STRING **out_subject_uid); 380 381 // X509_extract_key is a legacy alias to |X509_get_pubkey|. Use 382 // |X509_get_pubkey| instead. 383 #define X509_extract_key(x) X509_get_pubkey(x) 384 385 // X509_get_pathlen returns path length constraint from the basic constraints 386 // extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the 387 // constraint is not present, or if some extension in |x509| was invalid. 388 // 389 // Note that decoding an |X509| object will not check for invalid extensions. To 390 // detect the error case, call |X509_get_extensions_flags| and check the 391 // |EXFLAG_INVALID| bit. 392 OPENSSL_EXPORT long X509_get_pathlen(X509 *x509); 393 394 // X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. No other 395 // versions are defined. 396 #define X509_REQ_VERSION_1 0 397 398 // X509_REQ_get_version returns the numerical value of |req|'s version. This 399 // will always be |X509_REQ_VERSION_1|. 400 OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req); 401 402 // X509_REQ_get_subject_name returns |req|'s subject name. Note this function is 403 // not const-correct for legacy reasons. 404 OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); 405 406 // X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|. 407 #define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) 408 409 // X509_name_cmp is a legacy alias for |X509_NAME_cmp|. 410 #define X509_name_cmp(a, b) X509_NAME_cmp((a), (b)) 411 412 #define X509_CRL_VERSION_1 0 413 #define X509_CRL_VERSION_2 1 414 415 // X509_CRL_get_version returns the numerical value of |crl|'s version, which 416 // will be one of the |X509_CRL_VERSION_*| constants. 417 OPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl); 418 419 // X509_CRL_get0_lastUpdate returns |crl|'s lastUpdate time. 420 OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); 421 422 // X509_CRL_get0_nextUpdate returns |crl|'s nextUpdate time, or NULL if |crl| 423 // has none. 424 OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); 425 426 // X509_CRL_set1_lastUpdate sets |crl|'s lastUpdate time to |tm|. It returns one 427 // on success and zero on error. 428 OPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm); 429 430 // X509_CRL_set1_nextUpdate sets |crl|'s nextUpdate time to |tm|. It returns one 431 // on success and zero on error. 432 OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm); 433 434 // The following symbols are deprecated aliases to |X509_CRL_set1_*|. 435 #define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate 436 #define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate 437 438 // X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s lastUpdate time. 439 // Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead. 440 OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); 441 442 // X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time, 443 // or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or 444 // |X509_CRL_set1_nextUpdate| instead. 445 OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); 446 447 // X509_CRL_get_issuer returns |crl|'s issuer name. Note this function is not 448 // const-correct for legacy reasons. 449 OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); 450 451 // X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or 452 // NULL if |crl| omits it. 453 // 454 // TOOD(davidben): This function was originally a macro, without clear const 455 // semantics. It should take a const input and give const output, but the latter 456 // would break existing callers. For now, we match upstream. 457 OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); 458 459 // X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl| 460 // omits it. 461 OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions( 462 const X509_CRL *crl); 463 464 // X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to 465 // |sig|'s algorithm and digest fields, respectively. Either |out_alg| and 466 // |out_digest| may be NULL to skip those fields. 467 OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig, 468 const X509_ALGOR **out_alg, 469 const ASN1_OCTET_STRING **out_digest); 470 471 // X509_SIG_getm behaves like |X509_SIG_get0| but returns mutable pointers. 472 OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, 473 ASN1_OCTET_STRING **out_digest); 474 475 // X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is 476 // not const-correct for legacy reasons. Callers should not modify the returned 477 // object. 478 OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509); 479 480 // X509_verify_cert_error_string returns |err| as a human-readable string, where 481 // |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns 482 // a default description. 483 OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); 484 485 // X509_verify checks that |x509| has a valid signature by |pkey|. It returns 486 // one if the signature is valid and zero otherwise. Note this function only 487 // checks the signature itself and does not perform a full certificate 488 // validation. 489 OPENSSL_EXPORT int X509_verify(X509 *x509, EVP_PKEY *pkey); 490 491 // X509_REQ_verify checks that |req| has a valid signature by |pkey|. It returns 492 // one if the signature is valid and zero otherwise. 493 OPENSSL_EXPORT int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey); 494 495 // X509_CRL_verify checks that |crl| has a valid signature by |pkey|. It returns 496 // one if the signature is valid and zero otherwise. 497 OPENSSL_EXPORT int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey); 498 499 // NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It 500 // returns one if the signature is valid and zero otherwise. 501 OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); 502 503 // NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded 504 // Netscape signed public key and challenge (SPKAC) structure. It returns a 505 // newly-allocated |NETSCAPE_SPKI| structure with the result, or NULL on error. 506 // If |len| is 0 or negative, the length is calculated with |strlen| and |str| 507 // must be a NUL-terminated C string. 508 OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, 509 int len); 510 511 // NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded Netscape signed 512 // public key and challenge (SPKAC) structure. It returns a newly-allocated 513 // NUL-terminated C string with the result, or NULL on error. The caller must 514 // release the memory with |OPENSSL_free| when done. 515 OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki); 516 517 // NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an 518 // |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting 519 // pointer and must call |EVP_PKEY_free| when done. 520 OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki); 521 522 // NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one 523 // on success or zero on error. This function does not take ownership of |pkey|, 524 // so the caller may continue to manage its lifetime independently of |spki|. 525 OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki, 526 EVP_PKEY *pkey); 527 528 // X509_signature_dump writes a human-readable representation of |sig| to |bio|, 529 // indented with |indent| spaces. It returns one on success and zero on error. 530 OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig, 531 int indent); 532 533 // X509_signature_print writes a human-readable representation of |alg| and 534 // |sig| to |bio|. It returns one on success and zero on error. 535 OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg, 536 const ASN1_STRING *sig); 537 538 // X509_sign signs |x509| with |pkey| and replaces the signature algorithm and 539 // signature fields. It returns one on success and zero on error. This function 540 // uses digest algorithm |md|, or |pkey|'s default if NULL. Other signing 541 // parameters use |pkey|'s defaults. To customize them, use |X509_sign_ctx|. 542 OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md); 543 544 // X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm 545 // and signature fields. It returns one on success and zero on error. The 546 // signature algorithm and parameters come from |ctx|, which must have been 547 // initialized with |EVP_DigestSignInit|. The caller should configure the 548 // corresponding |EVP_PKEY_CTX| before calling this function. 549 OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx); 550 551 // X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm 552 // and signature fields. It returns one on success and zero on error. This 553 // function uses digest algorithm |md|, or |pkey|'s default if NULL. Other 554 // signing parameters use |pkey|'s defaults. To customize them, use 555 // |X509_REQ_sign_ctx|. 556 OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey, 557 const EVP_MD *md); 558 559 // X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm 560 // and signature fields. It returns one on success and zero on error. The 561 // signature algorithm and parameters come from |ctx|, which must have been 562 // initialized with |EVP_DigestSignInit|. The caller should configure the 563 // corresponding |EVP_PKEY_CTX| before calling this function. 564 OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx); 565 566 // X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm 567 // and signature fields. It returns one on success and zero on error. This 568 // function uses digest algorithm |md|, or |pkey|'s default if NULL. Other 569 // signing parameters use |pkey|'s defaults. To customize them, use 570 // |X509_CRL_sign_ctx|. 571 OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey, 572 const EVP_MD *md); 573 574 // X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm 575 // and signature fields. It returns one on success and zero on error. The 576 // signature algorithm and parameters come from |ctx|, which must have been 577 // initialized with |EVP_DigestSignInit|. The caller should configure the 578 // corresponding |EVP_PKEY_CTX| before calling this function. 579 OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx); 580 581 // NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature 582 // algorithm and signature fields. It returns one on success and zero on error. 583 // This function uses digest algorithm |md|, or |pkey|'s default if NULL. Other 584 // signing parameters use |pkey|'s defaults. 585 OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey, 586 const EVP_MD *md); 587 588 // X509_pubkey_digest hashes the DER encoding of |x509|'s subjectPublicKeyInfo 589 // field with |md| and writes the result to |out|. |EVP_MD_CTX_size| bytes are 590 // written, which is at most |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, 591 // |*out_len| is set to the number of bytes written. This function returns one 592 // on success and zero on error. 593 OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md, 594 uint8_t *out, unsigned *out_len); 595 596 // X509_digest hashes |x509|'s DER encoding with |md| and writes the result to 597 // |out|. |EVP_MD_CTX_size| bytes are written, which is at most 598 // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 599 // of bytes written. This function returns one on success and zero on error. 600 // Note this digest covers the entire certificate, not just the signed portion. 601 OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out, 602 unsigned *out_len); 603 604 // X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result 605 // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most 606 // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 607 // of bytes written. This function returns one on success and zero on error. 608 // Note this digest covers the entire CRL, not just the signed portion. 609 OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md, 610 uint8_t *out, unsigned *out_len); 611 612 // X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result 613 // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most 614 // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 615 // of bytes written. This function returns one on success and zero on error. 616 // Note this digest covers the entire certificate request, not just the signed 617 // portion. 618 OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md, 619 uint8_t *out, unsigned *out_len); 620 621 // X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result 622 // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most 623 // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 624 // of bytes written. This function returns one on success and zero on error. 625 OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md, 626 uint8_t *out, unsigned *out_len); 627 628 // X509_parse_from_buffer parses an X.509 structure from |buf| and returns a 629 // fresh X509 or NULL on error. There must not be any trailing data in |buf|. 630 // The returned structure (if any) holds a reference to |buf| rather than 631 // copying parts of it as a normal |d2i_X509| call would do. 632 OPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf); 633 634 OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509); 635 OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509); 636 OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl); 637 OPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl); 638 OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req); 639 OPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req); 640 OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa); 641 OPENSSL_EXPORT int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa); 642 OPENSSL_EXPORT RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa); 643 OPENSSL_EXPORT int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa); 644 OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa); 645 OPENSSL_EXPORT int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa); 646 #ifndef OPENSSL_NO_DSA 647 OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa); 648 OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa); 649 OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); 650 OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); 651 #endif 652 OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey); 653 OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey); 654 OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey); 655 OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey); 656 OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8); 657 OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8); 658 OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp( 659 FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf); 660 OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, 661 PKCS8_PRIV_KEY_INFO *p8inf); 662 OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key); 663 OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey); 664 OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); 665 OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey); 666 OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); 667 668 OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509); 669 OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509); 670 OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl); 671 OPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl); 672 OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req); 673 OPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req); 674 OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa); 675 OPENSSL_EXPORT int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa); 676 OPENSSL_EXPORT RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa); 677 OPENSSL_EXPORT int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa); 678 OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa); 679 OPENSSL_EXPORT int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa); 680 #ifndef OPENSSL_NO_DSA 681 OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa); 682 OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa); 683 OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa); 684 OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa); 685 #endif 686 OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey); 687 OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey); 688 OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey); 689 OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey); 690 OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8); 691 OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8); 692 OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio( 693 BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf); 694 OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, 695 PKCS8_PRIV_KEY_INFO *p8inf); 696 OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key); 697 OPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey); 698 OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); 699 OPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey); 700 OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); 701 OPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh); 702 OPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh); 703 704 OPENSSL_EXPORT X509 *X509_dup(X509 *x509); 705 OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa); 706 OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex); 707 OPENSSL_EXPORT X509_CRL *X509_CRL_dup(X509_CRL *crl); 708 OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *rev); 709 OPENSSL_EXPORT X509_REQ *X509_REQ_dup(X509_REQ *req); 710 OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); 711 712 // X509_ALGOR_set0 sets |alg| to an AlgorithmIdentifier with algorithm |obj| and 713 // parameter determined by |param_type| and |param_value|. It returns one on 714 // success and zero on error. This function takes ownership of |obj| and 715 // |param_value| on success. 716 // 717 // If |param_type| is |V_ASN1_UNDEF|, the parameter is omitted. If |param_type| 718 // is zero, the parameter is left unchanged. Otherwise, |param_type| and 719 // |param_value| are interpreted as in |ASN1_TYPE_set|. 720 // 721 // Note omitting the parameter (|V_ASN1_UNDEF|) and encoding an explicit NULL 722 // value (|V_ASN1_NULL|) are different. Some algorithms require one and some the 723 // other. Consult the relevant specification before calling this function. The 724 // correct parameter for an RSASSA-PKCS1-v1_5 signature is |V_ASN1_NULL|. The 725 // correct one for an ECDSA or Ed25519 signature is |V_ASN1_UNDEF|. 726 OPENSSL_EXPORT int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *obj, 727 int param_type, void *param_value); 728 729 // X509_ALGOR_get0 sets |*out_obj| to the |alg|'s algorithm. If |alg|'s 730 // parameter is omitted, it sets |*out_param_type| and |*out_param_value| to 731 // |V_ASN1_UNDEF| and NULL. Otherwise, it sets |*out_param_type| and 732 // |*out_param_value| to the parameter, using the same representation as 733 // |ASN1_TYPE_set0|. See |ASN1_TYPE_set0| and |ASN1_TYPE| for details. 734 // 735 // Callers that require the parameter in serialized form should, after checking 736 // for |V_ASN1_UNDEF|, use |ASN1_TYPE_set1| and |d2i_ASN1_TYPE|, rather than 737 // inspecting |*out_param_value|. 738 // 739 // Each of |out_obj|, |out_param_type|, and |out_param_value| may be NULL to 740 // ignore the output. If |out_param_type| is NULL, |out_param_value| is ignored. 741 // 742 // WARNING: If |*out_param_type| is set to |V_ASN1_UNDEF|, OpenSSL and older 743 // revisions of BoringSSL leave |*out_param_value| unset rather than setting it 744 // to NULL. Callers that support both OpenSSL and BoringSSL should not assume 745 // |*out_param_value| is uniformly initialized. 746 OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj, 747 int *out_param_type, 748 const void **out_param_value, 749 const X509_ALGOR *alg); 750 751 // X509_ALGOR_set_md sets |alg| to the hash function |md|. Note this 752 // AlgorithmIdentifier represents the hash function itself, not a signature 753 // algorithm that uses |md|. 754 OPENSSL_EXPORT void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); 755 756 // X509_ALGOR_cmp returns zero if |a| and |b| are equal, and some non-zero value 757 // otherwise. Note this function can only be used for equality checks, not an 758 // ordering. 759 OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); 760 761 OPENSSL_EXPORT X509_NAME *X509_NAME_dup(X509_NAME *xn); 762 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); 763 OPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne); 764 765 OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, 766 size_t *pderlen); 767 768 // X509_cmp_time compares |s| against |*t|. On success, it returns a negative 769 // number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it 770 // returns zero. If |t| is NULL, it uses the current time instead of |*t|. 771 // 772 // WARNING: Unlike most comparison functions, this function returns zero on 773 // error, not equality. 774 OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t); 775 776 // X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against 777 // the current time. 778 OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); 779 780 // X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. 781 OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, 782 time_t *t); 783 784 // X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If 785 // |t| is NULL, it uses the current time instead of |*t|. 786 OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, 787 long offset_sec, time_t *t); 788 789 // X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the 790 // current time. 791 OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); 792 793 OPENSSL_EXPORT const char *X509_get_default_cert_area(void); 794 OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); 795 OPENSSL_EXPORT const char *X509_get_default_cert_file(void); 796 OPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void); 797 OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void); 798 OPENSSL_EXPORT const char *X509_get_default_private_dir(void); 799 800 DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS) 801 802 DECLARE_ASN1_FUNCTIONS(X509_PUBKEY) 803 804 // X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY| 805 // structure. On success, it frees |*x|, sets |*x| to the new object, and 806 // returns one. Otherwise, it returns zero. 807 OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); 808 809 // X509_PUBKEY_get decodes the public key in |key| and returns an |EVP_PKEY| on 810 // success, or NULL on error. The caller must release the result with 811 // |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must 812 // not mutate the result. 813 OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key); 814 815 DECLARE_ASN1_FUNCTIONS(X509_SIG) 816 DECLARE_ASN1_FUNCTIONS(X509_REQ) 817 818 DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE) 819 820 // X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on 821 // error. The attribute has type |nid| and contains a single value determined by 822 // |attrtype| and |value|, which are interpreted as in |ASN1_TYPE_set|. Note 823 // this function takes ownership of |value|. 824 OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype, 825 void *value); 826 827 DECLARE_ASN1_FUNCTIONS(X509_EXTENSION) 828 DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS) 829 830 DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY) 831 832 DECLARE_ASN1_FUNCTIONS(X509_NAME) 833 834 // X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn| 835 // to the copy, and returns one. Otherwise, it returns zero. 836 OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name); 837 838 DECLARE_ASN1_FUNCTIONS(X509) 839 840 // X509_up_ref adds one to the reference count of |x509| and returns one. 841 OPENSSL_EXPORT int X509_up_ref(X509 *x509); 842 843 OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp, 844 CRYPTO_EX_unused *unused, 845 CRYPTO_EX_dup *dup_unused, 846 CRYPTO_EX_free *free_func); 847 OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg); 848 OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx); 849 850 // i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described 851 // in |i2d_SAMPLE|. 852 // 853 // This function re-encodes the TBSCertificate and may not reflect |x509|'s 854 // original encoding. It may be used to manually generate a signature for a new 855 // certificate. To verify certificates, use |i2d_X509_tbs| instead. 856 OPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, unsigned char **outp); 857 858 // i2d_X509_tbs serializes the TBSCertificate portion of |x509|, as described in 859 // |i2d_SAMPLE|. 860 // 861 // This function preserves the original encoding of the TBSCertificate and may 862 // not reflect modifications made to |x509|. It may be used to manually verify 863 // the signature of an existing certificate. To generate certificates, use 864 // |i2d_re_X509_tbs| instead. 865 OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp); 866 867 // X509_set1_signature_algo sets |x509|'s signature algorithm to |algo| and 868 // returns one on success or zero on error. It updates both the signature field 869 // of the TBSCertificate structure, and the signatureAlgorithm field of the 870 // Certificate. 871 OPENSSL_EXPORT int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo); 872 873 // X509_set1_signature_value sets |x509|'s signature to a copy of the |sig_len| 874 // bytes pointed by |sig|. It returns one on success and zero on error. 875 // 876 // Due to a specification error, X.509 certificates store signatures in ASN.1 877 // BIT STRINGs, but signature algorithms return byte strings rather than bit 878 // strings. This function creates a BIT STRING containing a whole number of 879 // bytes, with the bit order matching the DER encoding. This matches the 880 // encoding used by all X.509 signature algorithms. 881 OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig, 882 size_t sig_len); 883 884 // X509_get0_signature sets |*out_sig| and |*out_alg| to the signature and 885 // signature algorithm of |x509|, respectively. Either output pointer may be 886 // NULL to ignore the value. 887 // 888 // This function outputs the outer signature algorithm. For the one in the 889 // TBSCertificate, see |X509_get0_tbs_sigalg|. Certificates with mismatched 890 // signature algorithms will successfully parse, but they will be rejected when 891 // verifying. 892 OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig, 893 const X509_ALGOR **out_alg, 894 const X509 *x509); 895 896 // X509_get_signature_nid returns the NID corresponding to |x509|'s signature 897 // algorithm, or |NID_undef| if the signature algorithm does not correspond to 898 // a known NID. 899 OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509); 900 901 902 // Auxiliary properties. 903 // 904 // |X509| objects optionally maintain auxiliary properties. These are not part 905 // of the certificates themselves, and thus are not covered by signatures or 906 // preserved by the standard serialization. They are used as inputs or outputs 907 // to other functions in this library. 908 909 // i2d_X509_AUX marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280), 910 // followed optionally by a separate, OpenSSL-specific structure with auxiliary 911 // properties. It behaves as described in |i2d_SAMPLE|. 912 // 913 // Unlike similarly-named functions, this function does not output a single 914 // ASN.1 element. Directly embedding the output in a larger ASN.1 structure will 915 // not behave correctly. 916 OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, unsigned char **outp); 917 918 // d2i_X509_AUX parses up to |length| bytes from |*inp| as a DER-encoded X.509 919 // Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific 920 // structure with auxiliary properties. It behaves as described in 921 // |d2i_SAMPLE_with_reuse|. 922 // 923 // Some auxiliary properties affect trust decisions, so this function should not 924 // be used with untrusted input. 925 // 926 // Unlike similarly-named functions, this function does not parse a single 927 // ASN.1 element. Trying to parse data directly embedded in a larger ASN.1 928 // structure will not behave correctly. 929 OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const unsigned char **inp, 930 long length); 931 932 // X509_alias_set1 sets |x509|'s alias to |len| bytes from |name|. If |name| is 933 // NULL, the alias is cleared instead. Aliases are not part of the certificate 934 // itself and will not be serialized by |i2d_X509|. 935 OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const unsigned char *name, 936 int len); 937 938 // X509_keyid_set1 sets |x509|'s key ID to |len| bytes from |id|. If |id| is 939 // NULL, the key ID is cleared instead. Key IDs are not part of the certificate 940 // itself and will not be serialized by |i2d_X509|. 941 OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const unsigned char *id, 942 int len); 943 944 // X509_alias_get0 looks up |x509|'s alias. If found, it sets |*out_len| to the 945 // alias's length and returns a pointer to a buffer containing the contents. If 946 // not found, it outputs the empty string by returning NULL and setting 947 // |*out_len| to zero. 948 // 949 // If |x509| was parsed from a PKCS#12 structure (see 950 // |PKCS12_get_key_and_certs|), the alias will reflect the friendlyName 951 // attribute (RFC 2985). 952 // 953 // WARNING: In OpenSSL, this function did not set |*out_len| when the alias was 954 // missing. Callers that target both OpenSSL and BoringSSL should set the value 955 // to zero before calling this function. 956 OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x509, int *out_len); 957 958 // X509_keyid_get0 looks up |x509|'s key ID. If found, it sets |*out_len| to the 959 // key ID's length and returns a pointer to a buffer containing the contents. If 960 // not found, it outputs the empty string by returning NULL and setting 961 // |*out_len| to zero. 962 // 963 // WARNING: In OpenSSL, this function did not set |*out_len| when the alias was 964 // missing. Callers that target both OpenSSL and BoringSSL should set the value 965 // to zero before calling this function. 966 OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x509, int *out_len); 967 968 OPENSSL_EXPORT int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); 969 OPENSSL_EXPORT int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); 970 OPENSSL_EXPORT void X509_trust_clear(X509 *x); 971 OPENSSL_EXPORT void X509_reject_clear(X509 *x); 972 973 974 OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust); 975 976 DECLARE_ASN1_FUNCTIONS(X509_REVOKED) 977 DECLARE_ASN1_FUNCTIONS(X509_CRL) 978 979 OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); 980 OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, 981 ASN1_INTEGER *serial); 982 OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, 983 X509 *x); 984 985 OPENSSL_EXPORT X509_PKEY *X509_PKEY_new(void); 986 OPENSSL_EXPORT void X509_PKEY_free(X509_PKEY *a); 987 988 DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI) 989 DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC) 990 991 OPENSSL_EXPORT X509_INFO *X509_INFO_new(void); 992 OPENSSL_EXPORT void X509_INFO_free(X509_INFO *a); 993 OPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *a, char *buf, int size); 994 995 OPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, 996 unsigned char *md, unsigned int *len); 997 998 OPENSSL_EXPORT int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, 999 void *data, unsigned char *md, 1000 unsigned int *len); 1001 1002 OPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it, 1003 const X509_ALGOR *algor1, 1004 const ASN1_BIT_STRING *signature, 1005 void *data, EVP_PKEY *pkey); 1006 1007 OPENSSL_EXPORT int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, 1008 X509_ALGOR *algor2, 1009 ASN1_BIT_STRING *signature, void *data, 1010 EVP_PKEY *pkey, const EVP_MD *type); 1011 OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, 1012 X509_ALGOR *algor2, 1013 ASN1_BIT_STRING *signature, void *asn, 1014 EVP_MD_CTX *ctx); 1015 1016 // X509_get_serialNumber returns a mutable pointer to |x509|'s serial number. 1017 // Prefer |X509_get0_serialNumber|. 1018 OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509); 1019 1020 // X509_set_issuer_name sets |x509|'s issuer to a copy of |name|. It returns one 1021 // on success and zero on error. 1022 OPENSSL_EXPORT int X509_set_issuer_name(X509 *x509, X509_NAME *name); 1023 1024 // X509_get_issuer_name returns |x509|'s issuer. 1025 OPENSSL_EXPORT X509_NAME *X509_get_issuer_name(const X509 *x509); 1026 1027 // X509_set_subject_name sets |x509|'s subject to a copy of |name|. It returns 1028 // one on success and zero on error. 1029 OPENSSL_EXPORT int X509_set_subject_name(X509 *x509, X509_NAME *name); 1030 1031 // X509_get_issuer_name returns |x509|'s subject. 1032 OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509); 1033 1034 // X509_set_pubkey sets |x509|'s public key to |pkey|. It returns one on success 1035 // and zero on error. This function does not take ownership of |pkey| and 1036 // internally copies and updates reference counts as needed. 1037 OPENSSL_EXPORT int X509_set_pubkey(X509 *x509, EVP_PKEY *pkey); 1038 1039 // X509_get_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the 1040 // public key was unsupported or could not be decoded. This function returns a 1041 // reference to the |EVP_PKEY|. The caller must release the result with 1042 // |EVP_PKEY_free| when done. 1043 OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x509); 1044 1045 // X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public 1046 // key. Note this does not contain the AlgorithmIdentifier portion. 1047 // 1048 // WARNING: This function returns a non-const pointer for OpenSSL compatibility, 1049 // but the caller must not modify the resulting object. Doing so will break 1050 // internal invariants in |x509|. 1051 OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509); 1052 1053 // X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits 1054 // it. 1055 OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions( 1056 const X509 *x509); 1057 1058 // X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s 1059 // TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|. 1060 // 1061 // Certificates with mismatched signature algorithms will successfully parse, 1062 // but they will be rejected when verifying. 1063 OPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x509); 1064 1065 // X509_REQ_set_version sets |req|'s version to |version|, which should be 1066 // |X509_REQ_VERSION_1|. It returns one on success and zero on error. 1067 // 1068 // The only defined CSR version is |X509_REQ_VERSION_1|, so there is no need to 1069 // call this function. 1070 OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version); 1071 1072 // X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It 1073 // returns one on success and zero on error. 1074 OPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name); 1075 1076 // X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and 1077 // signature algorithm of |req|, respectively. Either output pointer may be NULL 1078 // to ignore the value. 1079 OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req, 1080 const ASN1_BIT_STRING **out_sig, 1081 const X509_ALGOR **out_alg); 1082 1083 // X509_REQ_get_signature_nid returns the NID corresponding to |req|'s signature 1084 // algorithm, or |NID_undef| if the signature algorithm does not correspond to 1085 // a known NID. 1086 OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req); 1087 1088 // i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) 1089 // portion of |req|, as described in |i2d_SAMPLE|. 1090 // 1091 // This function re-encodes the CertificationRequestInfo and may not reflect 1092 // |req|'s original encoding. It may be used to manually generate a signature 1093 // for a new certificate request. 1094 OPENSSL_EXPORT int i2d_re_X509_REQ_tbs(X509_REQ *req, uint8_t **outp); 1095 1096 // X509_REQ_set_pubkey sets |req|'s public key to |pkey|. It returns one on 1097 // success and zero on error. This function does not take ownership of |pkey| 1098 // and internally copies and updates reference counts as needed. 1099 OPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey); 1100 1101 // X509_REQ_get_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if 1102 // the public key was unsupported or could not be decoded. This function returns 1103 // a reference to the |EVP_PKEY|. The caller must release the result with 1104 // |EVP_PKEY_free| when done. 1105 OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); 1106 1107 // X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type 1108 // for carrying extensions and zero otherwise. The supported types are 1109 // |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req| 1110 // (a Microsoft szOID_CERT_EXTENSIONS variant). 1111 OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); 1112 1113 // X509_REQ_get_extensions decodes the list of requested extensions in |req| and 1114 // returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result. 1115 // It returns NULL on error, or if |req| did not request extensions. 1116 // 1117 // This function supports both pkcs-9-at-extensionRequest from RFC 2985 and the 1118 // Microsoft szOID_CERT_EXTENSIONS variant. 1119 OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); 1120 1121 // X509_REQ_add_extensions_nid adds an attribute to |req| of type |nid|, to 1122 // request the certificate extensions in |exts|. It returns one on success and 1123 // zero on error. |nid| should be |NID_ext_req| or |NID_ms_ext_req|. 1124 OPENSSL_EXPORT int X509_REQ_add_extensions_nid( 1125 X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts, int nid); 1126 1127 // X509_REQ_add_extensions behaves like |X509_REQ_add_extensions_nid|, using the 1128 // standard |NID_ext_req| for the attribute type. 1129 OPENSSL_EXPORT int X509_REQ_add_extensions( 1130 X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts); 1131 1132 // X509_REQ_get_attr_count returns the number of attributes in |req|. 1133 OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req); 1134 1135 // X509_REQ_get_attr_by_NID returns the index of the attribute in |req| of type 1136 // |nid|, or a negative number if not found. If found, callers can use 1137 // |X509_REQ_get_attr| to look up the attribute by index. 1138 // 1139 // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1140 // can thus loop over all matching attributes by first passing -1 and then 1141 // passing the previously-returned value until no match is returned. 1142 OPENSSL_EXPORT int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, 1143 int lastpos); 1144 1145 // X509_REQ_get_attr_by_OBJ behaves like |X509_REQ_get_attr_by_NID| but looks 1146 // for attributes of type |obj|. 1147 OPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, 1148 const ASN1_OBJECT *obj, 1149 int lastpos); 1150 1151 // X509_REQ_get_attr returns the attribute at index |loc| in |req|, or NULL if 1152 // out of bounds. 1153 OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc); 1154 1155 // X509_REQ_delete_attr removes the attribute at index |loc| in |req|. It 1156 // returns the removed attribute to the caller, or NULL if |loc| was out of 1157 // bounds. If non-NULL, the caller must release the result with 1158 // |X509_ATTRIBUTE_free| when done. It is also safe, but not necessary, to call 1159 // |X509_ATTRIBUTE_free| if the result is NULL. 1160 OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc); 1161 1162 // X509_REQ_add1_attr appends a copy of |attr| to |req|'s list of attributes. It 1163 // returns one on success and zero on error. 1164 // 1165 // TODO(https://crbug.com/boringssl/407): |attr| should be const. 1166 OPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr); 1167 1168 // X509_REQ_add1_attr_by_OBJ appends a new attribute to |req| with type |obj|. 1169 // It returns one on success and zero on error. The value is determined by 1170 // |X509_ATTRIBUTE_set1_data|. 1171 // 1172 // WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and 1173 // error-prone. See |X509_ATTRIBUTE_set1_data| for details. 1174 OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, 1175 const ASN1_OBJECT *obj, 1176 int attrtype, 1177 const unsigned char *data, 1178 int len); 1179 1180 // X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the 1181 // attribute type is determined by |nid|. 1182 OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, 1183 int attrtype, 1184 const unsigned char *data, 1185 int len); 1186 1187 // X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the 1188 // attribute type is determined by calling |OBJ_txt2obj| with |attrname|. 1189 OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req, 1190 const char *attrname, int attrtype, 1191 const unsigned char *data, 1192 int len); 1193 1194 // X509_CRL_set_version sets |crl|'s version to |version|, which should be one 1195 // of the |X509_CRL_VERSION_*| constants. It returns one on success and zero on 1196 // error. 1197 // 1198 // If unsure, use |X509_CRL_VERSION_2|. Note that, unlike certificates, CRL 1199 // versions are only defined up to v2. Callers should not use |X509_VERSION_3|. 1200 OPENSSL_EXPORT int X509_CRL_set_version(X509_CRL *crl, long version); 1201 1202 // X509_CRL_set_issuer_name sets |crl|'s issuer to a copy of |name|. It returns 1203 // one on success and zero on error. 1204 OPENSSL_EXPORT int X509_CRL_set_issuer_name(X509_CRL *crl, X509_NAME *name); 1205 1206 OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl); 1207 1208 // X509_CRL_up_ref adds one to the reference count of |crl| and returns one. 1209 OPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl); 1210 1211 // X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and 1212 // signature algorithm of |crl|, respectively. Either output pointer may be NULL 1213 // to ignore the value. 1214 // 1215 // This function outputs the outer signature algorithm, not the one in the 1216 // TBSCertList. CRLs with mismatched signature algorithms will successfully 1217 // parse, but they will be rejected when verifying. 1218 OPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl, 1219 const ASN1_BIT_STRING **out_sig, 1220 const X509_ALGOR **out_alg); 1221 1222 // X509_CRL_get_signature_nid returns the NID corresponding to |crl|'s signature 1223 // algorithm, or |NID_undef| if the signature algorithm does not correspond to 1224 // a known NID. 1225 OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl); 1226 1227 // i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described 1228 // in |i2d_SAMPLE|. 1229 // 1230 // This function re-encodes the TBSCertList and may not reflect |crl|'s original 1231 // encoding. It may be used to manually generate a signature for a new CRL. To 1232 // verify CRLs, use |i2d_X509_CRL_tbs| instead. 1233 OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp); 1234 1235 // i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described in 1236 // |i2d_SAMPLE|. 1237 // 1238 // This function preserves the original encoding of the TBSCertList and may not 1239 // reflect modifications made to |crl|. It may be used to manually verify the 1240 // signature of an existing CRL. To generate CRLs, use |i2d_re_X509_CRL_tbs| 1241 // instead. 1242 OPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp); 1243 1244 // X509_CRL_set1_signature_algo sets |crl|'s signature algorithm to |algo| and 1245 // returns one on success or zero on error. It updates both the signature field 1246 // of the TBSCertList structure, and the signatureAlgorithm field of the CRL. 1247 OPENSSL_EXPORT int X509_CRL_set1_signature_algo(X509_CRL *crl, 1248 const X509_ALGOR *algo); 1249 1250 // X509_CRL_set1_signature_value sets |crl|'s signature to a copy of the 1251 // |sig_len| bytes pointed by |sig|. It returns one on success and zero on 1252 // error. 1253 // 1254 // Due to a specification error, X.509 CRLs store signatures in ASN.1 BIT 1255 // STRINGs, but signature algorithms return byte strings rather than bit 1256 // strings. This function creates a BIT STRING containing a whole number of 1257 // bytes, with the bit order matching the DER encoding. This matches the 1258 // encoding used by all X.509 signature algorithms. 1259 OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl, 1260 const uint8_t *sig, 1261 size_t sig_len); 1262 1263 // X509_REVOKED_get0_serialNumber returns the serial number of the certificate 1264 // revoked by |revoked|. 1265 OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber( 1266 const X509_REVOKED *revoked); 1267 1268 // X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It 1269 // returns one on success or zero on error. 1270 OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked, 1271 const ASN1_INTEGER *serial); 1272 1273 // X509_REVOKED_get0_revocationDate returns the revocation time of the 1274 // certificate revoked by |revoked|. 1275 OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate( 1276 const X509_REVOKED *revoked); 1277 1278 // X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It 1279 // returns one on success or zero on error. 1280 OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked, 1281 const ASN1_TIME *tm); 1282 1283 // X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r| 1284 // omits it. 1285 OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions( 1286 const X509_REVOKED *r); 1287 1288 OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, 1289 EVP_PKEY *skey, const EVP_MD *md, 1290 unsigned int flags); 1291 1292 OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey); 1293 1294 OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey); 1295 OPENSSL_EXPORT int X509_chain_check_suiteb(int *perror_depth, X509 *x, 1296 STACK_OF(X509) *chain, 1297 unsigned long flags); 1298 OPENSSL_EXPORT int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, 1299 unsigned long flags); 1300 1301 // X509_chain_up_ref returns a newly-allocated |STACK_OF(X509)| containing a 1302 // shallow copy of |chain|, or NULL on error. That is, the return value has the 1303 // same contents as |chain|, and each |X509|'s reference count is incremented by 1304 // one. 1305 OPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain); 1306 1307 OPENSSL_EXPORT int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b); 1308 1309 OPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b); 1310 OPENSSL_EXPORT unsigned long X509_issuer_name_hash(X509 *a); 1311 1312 OPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b); 1313 OPENSSL_EXPORT unsigned long X509_subject_name_hash(X509 *x); 1314 1315 OPENSSL_EXPORT unsigned long X509_issuer_name_hash_old(X509 *a); 1316 OPENSSL_EXPORT unsigned long X509_subject_name_hash_old(X509 *x); 1317 1318 OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); 1319 OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); 1320 OPENSSL_EXPORT unsigned long X509_NAME_hash(X509_NAME *x); 1321 OPENSSL_EXPORT unsigned long X509_NAME_hash_old(X509_NAME *x); 1322 1323 OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); 1324 OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); 1325 OPENSSL_EXPORT int X509_print_ex_fp(FILE *bp, X509 *x, unsigned long nmflag, 1326 unsigned long cflag); 1327 OPENSSL_EXPORT int X509_print_fp(FILE *bp, X509 *x); 1328 OPENSSL_EXPORT int X509_CRL_print_fp(FILE *bp, X509_CRL *x); 1329 OPENSSL_EXPORT int X509_REQ_print_fp(FILE *bp, X509_REQ *req); 1330 OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, 1331 int indent, unsigned long flags); 1332 1333 OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); 1334 OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, 1335 unsigned long flags); 1336 OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, 1337 unsigned long cflag); 1338 OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x); 1339 OPENSSL_EXPORT int X509_ocspid_print(BIO *bp, X509 *x); 1340 OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x); 1341 OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, 1342 unsigned long cflag); 1343 OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req); 1344 1345 OPENSSL_EXPORT int X509_NAME_entry_count(const X509_NAME *name); 1346 OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, 1347 char *buf, int len); 1348 OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name, 1349 const ASN1_OBJECT *obj, char *buf, 1350 int len); 1351 1352 // NOTE: you should be passsing -1, not 0 as lastpos. The functions that use 1353 // lastpos, search after that position on. 1354 OPENSSL_EXPORT int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, 1355 int lastpos); 1356 OPENSSL_EXPORT int X509_NAME_get_index_by_OBJ(const X509_NAME *name, 1357 const ASN1_OBJECT *obj, 1358 int lastpos); 1359 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, 1360 int loc); 1361 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, 1362 int loc); 1363 OPENSSL_EXPORT int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, 1364 int loc, int set); 1365 OPENSSL_EXPORT int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, 1366 int type, 1367 const unsigned char *bytes, 1368 int len, int loc, int set); 1369 OPENSSL_EXPORT int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, 1370 int type, 1371 const unsigned char *bytes, 1372 int len, int loc, int set); 1373 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt( 1374 X509_NAME_ENTRY **ne, const char *field, int type, 1375 const unsigned char *bytes, int len); 1376 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID( 1377 X509_NAME_ENTRY **ne, int nid, int type, const unsigned char *bytes, 1378 int len); 1379 OPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name, 1380 const char *field, int type, 1381 const unsigned char *bytes, 1382 int len, int loc, int set); 1383 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ( 1384 X509_NAME_ENTRY **ne, const ASN1_OBJECT *obj, int type, 1385 const unsigned char *bytes, int len); 1386 OPENSSL_EXPORT int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, 1387 const ASN1_OBJECT *obj); 1388 OPENSSL_EXPORT int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, 1389 const unsigned char *bytes, 1390 int len); 1391 OPENSSL_EXPORT ASN1_OBJECT *X509_NAME_ENTRY_get_object( 1392 const X509_NAME_ENTRY *ne); 1393 OPENSSL_EXPORT ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne); 1394 1395 // X509v3_get_ext_count returns the number of extensions in |x|. 1396 OPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x); 1397 1398 // X509v3_get_ext_by_NID returns the index of the first extension in |x| with 1399 // type |nid|, or a negative number if not found. If found, callers can use 1400 // |X509v3_get_ext| to look up the extension by index. 1401 // 1402 // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1403 // can thus loop over all matching extensions by first passing -1 and then 1404 // passing the previously-returned value until no match is returned. 1405 OPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, 1406 int nid, int lastpos); 1407 1408 // X509v3_get_ext_by_OBJ behaves like |X509v3_get_ext_by_NID| but looks for 1409 // extensions matching |obj|. 1410 OPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x, 1411 const ASN1_OBJECT *obj, int lastpos); 1412 1413 // X509v3_get_ext_by_critical returns the index of the first extension in |x| 1414 // whose critical bit matches |crit|, or a negative number if no such extension 1415 // was found. 1416 // 1417 // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1418 // can thus loop over all matching extensions by first passing -1 and then 1419 // passing the previously-returned value until no match is returned. 1420 OPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x, 1421 int crit, int lastpos); 1422 1423 // X509v3_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| 1424 // is out of bounds. 1425 OPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, 1426 int loc); 1427 1428 // X509v3_delete_ext removes the extension in |x| at index |loc| and returns the 1429 // removed extension, or NULL if |loc| was out of bounds. If an extension was 1430 // returned, the caller must release it with |X509_EXTENSION_free|. 1431 OPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, 1432 int loc); 1433 1434 // X509v3_add_ext adds a copy of |ex| to the extension list in |*x|. If |*x| is 1435 // NULL, it allocates a new |STACK_OF(X509_EXTENSION)| to hold the copy and sets 1436 // |*x| to the new list. It returns |*x| on success and NULL on error. The 1437 // caller retains ownership of |ex| and can release it independently of |*x|. 1438 // 1439 // The new extension is inserted at index |loc|, shifting extensions to the 1440 // right. If |loc| is -1 or out of bounds, the new extension is appended to the 1441 // list. 1442 OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext( 1443 STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc); 1444 1445 // X509_get_ext_count returns the number of extensions in |x|. 1446 OPENSSL_EXPORT int X509_get_ext_count(const X509 *x); 1447 1448 // X509_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for 1449 // extensions in |x|. 1450 OPENSSL_EXPORT int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos); 1451 1452 // X509_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for 1453 // extensions in |x|. 1454 OPENSSL_EXPORT int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, 1455 int lastpos); 1456 1457 // X509_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but 1458 // searches for extensions in |x|. 1459 OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit, 1460 int lastpos); 1461 1462 // X509_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| is 1463 // out of bounds. 1464 OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc); 1465 1466 // X509_delete_ext removes the extension in |x| at index |loc| and returns the 1467 // removed extension, or NULL if |loc| was out of bounds. If non-NULL, the 1468 // caller must release the result with |X509_EXTENSION_free|. It is also safe, 1469 // but not necessary, to call |X509_EXTENSION_free| if the result is NULL. 1470 OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc); 1471 1472 // X509_add_ext adds a copy of |ex| to |x|. It returns one on success and zero 1473 // on failure. The caller retains ownership of |ex| and can release it 1474 // independently of |x|. 1475 // 1476 // The new extension is inserted at index |loc|, shifting extensions to the 1477 // right. If |loc| is -1 or out of bounds, the new extension is appended to the 1478 // list. 1479 OPENSSL_EXPORT int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); 1480 1481 // X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in 1482 // |x509|'s extension list. 1483 // 1484 // WARNING: This function is difficult to use correctly. See the documentation 1485 // for |X509V3_get_d2i| for details. 1486 OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid, 1487 int *out_critical, int *out_idx); 1488 1489 // X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to 1490 // |x|'s extension list. 1491 // 1492 // WARNING: This function may return zero or -1 on error. The caller must also 1493 // ensure |value|'s type matches |nid|. See the documentation for 1494 // |X509V3_add1_i2d| for details. 1495 OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, 1496 unsigned long flags); 1497 1498 // X509_CRL_get_ext_count returns the number of extensions in |x|. 1499 OPENSSL_EXPORT int X509_CRL_get_ext_count(const X509_CRL *x); 1500 1501 // X509_CRL_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for 1502 // extensions in |x|. 1503 OPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, 1504 int lastpos); 1505 1506 // X509_CRL_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for 1507 // extensions in |x|. 1508 OPENSSL_EXPORT int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, 1509 const ASN1_OBJECT *obj, int lastpos); 1510 1511 // X509_CRL_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but 1512 // searches for extensions in |x|. 1513 OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, 1514 int lastpos); 1515 1516 // X509_CRL_get_ext returns the extension in |x| at index |loc|, or NULL if 1517 // |loc| is out of bounds. 1518 OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); 1519 1520 // X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns 1521 // the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the 1522 // caller must release the result with |X509_EXTENSION_free|. It is also safe, 1523 // but not necessary, to call |X509_EXTENSION_free| if the result is NULL. 1524 OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); 1525 1526 // X509_CRL_add_ext adds a copy of |ex| to |x|. It returns one on success and 1527 // zero on failure. The caller retains ownership of |ex| and can release it 1528 // independently of |x|. 1529 // 1530 // The new extension is inserted at index |loc|, shifting extensions to the 1531 // right. If |loc| is -1 or out of bounds, the new extension is appended to the 1532 // list. 1533 OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc); 1534 1535 // X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the 1536 // extension in |crl|'s extension list. 1537 // 1538 // WARNING: This function is difficult to use correctly. See the documentation 1539 // for |X509V3_get_d2i| for details. 1540 OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, 1541 int *out_critical, int *out_idx); 1542 1543 // X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension 1544 // to |x|'s extension list. 1545 // 1546 // WARNING: This function may return zero or -1 on error. The caller must also 1547 // ensure |value|'s type matches |nid|. See the documentation for 1548 // |X509V3_add1_i2d| for details. 1549 OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, 1550 int crit, unsigned long flags); 1551 1552 // X509_REVOKED_get_ext_count returns the number of extensions in |x|. 1553 OPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x); 1554 1555 // X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches 1556 // for extensions in |x|. 1557 OPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, 1558 int lastpos); 1559 1560 // X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches 1561 // for extensions in |x|. 1562 OPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, 1563 const ASN1_OBJECT *obj, 1564 int lastpos); 1565 1566 // X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| 1567 // but searches for extensions in |x|. 1568 OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, 1569 int crit, int lastpos); 1570 1571 // X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if 1572 // |loc| is out of bounds. 1573 OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, 1574 int loc); 1575 1576 // X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and 1577 // returns the removed extension, or NULL if |loc| was out of bounds. If 1578 // non-NULL, the caller must release the result with |X509_EXTENSION_free|. It 1579 // is also safe, but not necessary, to call |X509_EXTENSION_free| if the result 1580 // is NULL. 1581 OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, 1582 int loc); 1583 1584 // X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success 1585 // and zero on failure. The caller retains ownership of |ex| and can release it 1586 // independently of |x|. 1587 // 1588 // The new extension is inserted at index |loc|, shifting extensions to the 1589 // right. If |loc| is -1 or out of bounds, the new extension is appended to the 1590 // list. 1591 OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, 1592 int loc); 1593 1594 // X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the 1595 // extension in |revoked|'s extension list. 1596 // 1597 // WARNING: This function is difficult to use correctly. See the documentation 1598 // for |X509V3_get_d2i| for details. 1599 OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked, 1600 int nid, int *out_critical, 1601 int *out_idx); 1602 1603 // X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the 1604 // extension to |x|'s extension list. 1605 // 1606 // WARNING: This function may return zero or -1 on error. The caller must also 1607 // ensure |value|'s type matches |nid|. See the documentation for 1608 // |X509V3_add1_i2d| for details. 1609 OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, 1610 void *value, int crit, 1611 unsigned long flags); 1612 1613 // X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|, 1614 // value |data|, and critical bit |crit|. It returns the newly-allocated 1615 // |X509_EXTENSION| on success, and false on error. |nid| should be a |NID_*| 1616 // constant. 1617 // 1618 // If |ex| and |*ex| are both non-NULL, it modifies and returns |*ex| instead of 1619 // creating a new object. If |ex| is non-NULL, but |*ex| is NULL, it sets |*ex| 1620 // to the new |X509_EXTENSION|, in addition to returning the result. 1621 OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_NID( 1622 X509_EXTENSION **ex, int nid, int crit, const ASN1_OCTET_STRING *data); 1623 1624 // X509_EXTENSION_create_by_OBJ behaves like |X509_EXTENSION_create_by_NID|, but 1625 // the extension type is determined by an |ASN1_OBJECT|. 1626 OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_OBJ( 1627 X509_EXTENSION **ex, const ASN1_OBJECT *obj, int crit, 1628 const ASN1_OCTET_STRING *data); 1629 1630 // X509_EXTENSION_set_object sets |ex|'s extension type to |obj|. It returns one 1631 // on success and zero on error. 1632 OPENSSL_EXPORT int X509_EXTENSION_set_object(X509_EXTENSION *ex, 1633 const ASN1_OBJECT *obj); 1634 1635 // X509_EXTENSION_set_critical sets |ex| to critical if |crit| is non-zero and 1636 // to non-critical if |crit| is zero. 1637 OPENSSL_EXPORT int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit); 1638 1639 // X509_EXTENSION_set_data set's |ex|'s extension value to a copy of |data|. It 1640 // returns one on success and zero on error. 1641 OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex, 1642 const ASN1_OCTET_STRING *data); 1643 1644 // X509_EXTENSION_get_object returns |ex|'s extension type. 1645 OPENSSL_EXPORT ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex); 1646 1647 // X509_EXTENSION_get_data returns |ne|'s extension value. 1648 OPENSSL_EXPORT ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne); 1649 1650 // X509_EXTENSION_get_critical returns one if |ex| is critical and zero 1651 // otherwise. 1652 OPENSSL_EXPORT int X509_EXTENSION_get_critical(const X509_EXTENSION *ex); 1653 1654 // X509at_get_attr_count returns the number of attributes in |x|. 1655 OPENSSL_EXPORT int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x); 1656 1657 // X509at_get_attr_by_NID returns the index of the attribute in |x| of type 1658 // |nid|, or a negative number if not found. If found, callers can use 1659 // |X509at_get_attr| to look up the attribute by index. 1660 // 1661 // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1662 // can thus loop over all matching attributes by first passing -1 and then 1663 // passing the previously-returned value until no match is returned. 1664 OPENSSL_EXPORT int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, 1665 int nid, int lastpos); 1666 1667 // X509at_get_attr_by_OBJ behaves like |X509at_get_attr_by_NID| but looks for 1668 // attributes of type |obj|. 1669 OPENSSL_EXPORT int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, 1670 const ASN1_OBJECT *obj, int lastpos); 1671 1672 // X509at_get_attr returns the attribute at index |loc| in |x|, or NULL if 1673 // out of bounds. 1674 OPENSSL_EXPORT X509_ATTRIBUTE *X509at_get_attr( 1675 const STACK_OF(X509_ATTRIBUTE) *x, int loc); 1676 1677 // X509at_delete_attr removes the attribute at index |loc| in |x|. It returns 1678 // the removed attribute to the caller, or NULL if |loc| was out of bounds. If 1679 // non-NULL, the caller must release the result with |X509_ATTRIBUTE_free| when 1680 // done. It is also safe, but not necessary, to call |X509_ATTRIBUTE_free| if 1681 // the result is NULL. 1682 OPENSSL_EXPORT X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, 1683 int loc); 1684 1685 // X509at_add1_attr appends a copy of |attr| to the attribute list in |*x|. If 1686 // |*x| is NULL, it allocates a new |STACK_OF(X509_ATTRIBUTE)| to hold the copy 1687 // and sets |*x| to the new list. It returns |*x| on success and NULL on error. 1688 // The caller retains ownership of |attr| and can release it independently of 1689 // |*x|. 1690 OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr( 1691 STACK_OF(X509_ATTRIBUTE) **x, X509_ATTRIBUTE *attr); 1692 1693 // X509at_add1_attr_by_OBJ behaves like |X509at_add1_attr|, but adds an 1694 // attribute created by |X509_ATTRIBUTE_create_by_OBJ|. 1695 OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ( 1696 STACK_OF(X509_ATTRIBUTE) **x, const ASN1_OBJECT *obj, int type, 1697 const unsigned char *bytes, int len); 1698 1699 // X509at_add1_attr_by_NID behaves like |X509at_add1_attr|, but adds an 1700 // attribute created by |X509_ATTRIBUTE_create_by_NID|. 1701 OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID( 1702 STACK_OF(X509_ATTRIBUTE) **x, int nid, int type, const unsigned char *bytes, 1703 int len); 1704 1705 // X509at_add1_attr_by_txt behaves like |X509at_add1_attr|, but adds an 1706 // attribute created by |X509_ATTRIBUTE_create_by_txt|. 1707 OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt( 1708 STACK_OF(X509_ATTRIBUTE) **x, const char *attrname, int type, 1709 const unsigned char *bytes, int len); 1710 1711 // X509_ATTRIBUTE_create_by_NID returns a newly-allocated |X509_ATTRIBUTE| of 1712 // type |nid|, or NULL on error. The value is determined as in 1713 // |X509_ATTRIBUTE_set1_data|. 1714 // 1715 // If |attr| is non-NULL, the resulting |X509_ATTRIBUTE| is also written to 1716 // |*attr|. If |*attr| was non-NULL when the function was called, |*attr| is 1717 // reused instead of creating a new object. 1718 // 1719 // WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and 1720 // error-prone. See |X509_ATTRIBUTE_set1_data| for details. 1721 // 1722 // WARNING: The object reuse form is deprecated and may be removed in the 1723 // future. It also currently incorrectly appends to the reused object's value 1724 // set rather than overwriting it. 1725 OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID( 1726 X509_ATTRIBUTE **attr, int nid, int attrtype, const void *data, int len); 1727 1728 // X509_ATTRIBUTE_create_by_OBJ behaves like |X509_ATTRIBUTE_create_by_NID| 1729 // except the attribute's type is determined by |obj|. 1730 OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ( 1731 X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, int attrtype, 1732 const void *data, int len); 1733 1734 // X509_ATTRIBUTE_create_by_txt behaves like |X509_ATTRIBUTE_create_by_NID| 1735 // except the attribute's type is determined by calling |OBJ_txt2obj| with 1736 // |attrname|. 1737 OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt( 1738 X509_ATTRIBUTE **attr, const char *attrname, int type, 1739 const unsigned char *bytes, int len); 1740 1741 // X509_ATTRIBUTE_set1_object sets |attr|'s type to |obj|. It returns one on 1742 // success and zero on error. 1743 OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, 1744 const ASN1_OBJECT *obj); 1745 1746 // X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns 1747 // one on success or zero on error. The value is determined as follows: 1748 // 1749 // If |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 string. The 1750 // string is determined by decoding |len| bytes from |data| in the encoding 1751 // specified by |attrtype|, and then re-encoding it in a form appropriate for 1752 // |attr|'s type. If |len| is -1, |strlen(data)| is used instead. See 1753 // |ASN1_STRING_set_by_NID| for details. 1754 // 1755 // TODO(davidben): Document |ASN1_STRING_set_by_NID| so the reference is useful. 1756 // 1757 // Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an 1758 // |ASN1_STRING| type value and the |len| bytes from |data| are copied as the 1759 // type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details. 1760 // 1761 // WARNING: If this form is used to construct a negative INTEGER or ENUMERATED, 1762 // |attrtype| includes the |V_ASN1_NEG| flag for |ASN1_STRING|, but the function 1763 // forgets to clear the flag for |ASN1_TYPE|. This matches OpenSSL but is 1764 // probably a bug. For now, do not use this form with negative values. 1765 // 1766 // Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and 1767 // |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value, 1768 // and |data| is cast to the corresponding pointer type. 1769 // 1770 // WARNING: Despite the name, this function appends to |attr|'s value set, 1771 // rather than overwriting it. To overwrite the value set, create a new 1772 // |X509_ATTRIBUTE| with |X509_ATTRIBUTE_new|. 1773 // 1774 // WARNING: If using the |MBSTRING_*| form, pass a length rather than relying on 1775 // |strlen|. In particular, |strlen| will not behave correctly if the input is 1776 // |MBSTRING_BMP| or |MBSTRING_UNIV|. 1777 // 1778 // WARNING: This function currently misinterprets |V_ASN1_OTHER| as an 1779 // |MBSTRING_*| constant. This matches OpenSSL but means it is impossible to 1780 // construct a value with a non-universal tag. 1781 OPENSSL_EXPORT int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, 1782 const void *data, int len); 1783 1784 // X509_ATTRIBUTE_get0_data returns the |idx|th value of |attr| in a 1785 // type-specific representation to |attrtype|, or NULL if out of bounds or the 1786 // type does not match. |attrtype| is one of the type values in |ASN1_TYPE|. On 1787 // match, the return value uses the same representation as |ASN1_TYPE_set0|. See 1788 // |ASN1_TYPE| for details. 1789 OPENSSL_EXPORT void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, 1790 int attrtype, void *unused); 1791 1792 // X509_ATTRIBUTE_count returns the number of values in |attr|. 1793 OPENSSL_EXPORT int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr); 1794 1795 // X509_ATTRIBUTE_get0_object returns the type of |attr|. 1796 OPENSSL_EXPORT ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr); 1797 1798 // X509_ATTRIBUTE_get0_type returns the |idx|th value in |attr|, or NULL if out 1799 // of bounds. Note this function returns one of |attr|'s values, not the type. 1800 OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, 1801 int idx); 1802 1803 OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); 1804 1805 // lookup a cert from a X509 STACK 1806 OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, 1807 X509_NAME *name, 1808 ASN1_INTEGER *serial); 1809 OPENSSL_EXPORT X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name); 1810 1811 // PKCS#8 utilities 1812 1813 DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) 1814 1815 OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8); 1816 OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey); 1817 1818 OPENSSL_EXPORT int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, 1819 int version, int ptype, void *pval, 1820 unsigned char *penc, int penclen); 1821 OPENSSL_EXPORT int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg, 1822 const unsigned char **pk, int *ppklen, 1823 X509_ALGOR **pa, PKCS8_PRIV_KEY_INFO *p8); 1824 1825 // X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier 1826 // determined by |obj|, |param_type|, and |param_value|, and an encoded 1827 // public key of |key|. On success, it takes ownership of all its parameters and 1828 // returns one. Otherwise, it returns zero. |key| must have been allocated by 1829 // |OPENSSL_malloc|. 1830 // 1831 // |obj|, |param_type|, and |param_value| are interpreted as in 1832 // |X509_ALGOR_set0|. See |X509_ALGOR_set0| for details. 1833 OPENSSL_EXPORT int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, 1834 int param_type, void *param_value, 1835 uint8_t *key, int key_len); 1836 1837 // X509_PUBKEY_get0_param outputs fields of |pub| and returns one. If |out_obj| 1838 // is not NULL, it sets |*out_obj| to AlgorithmIdentifier's OID. If |out_key| 1839 // is not NULL, it sets |*out_key| and |*out_key_len| to the encoded public key. 1840 // If |out_alg| is not NULL, it sets |*out_alg| to the AlgorithmIdentifier. 1841 // 1842 // Note: X.509 SubjectPublicKeyInfo structures store the encoded public key as a 1843 // BIT STRING. |*out_key| and |*out_key_len| will silently pad the key with zero 1844 // bits if |pub| did not contain a whole number of bytes. Use 1845 // |X509_PUBKEY_get0_public_key| to preserve this information. 1846 OPENSSL_EXPORT int X509_PUBKEY_get0_param(ASN1_OBJECT **out_obj, 1847 const uint8_t **out_key, 1848 int *out_key_len, 1849 X509_ALGOR **out_alg, 1850 X509_PUBKEY *pub); 1851 1852 // X509_PUBKEY_get0_public_key returns |pub|'s encoded public key. 1853 OPENSSL_EXPORT const ASN1_BIT_STRING *X509_PUBKEY_get0_public_key( 1854 const X509_PUBKEY *pub); 1855 1856 OPENSSL_EXPORT int X509_check_trust(X509 *x, int id, int flags); 1857 OPENSSL_EXPORT int X509_TRUST_get_count(void); 1858 OPENSSL_EXPORT X509_TRUST *X509_TRUST_get0(int idx); 1859 OPENSSL_EXPORT int X509_TRUST_get_by_id(int id); 1860 OPENSSL_EXPORT int X509_TRUST_add(int id, int flags, 1861 int (*ck)(X509_TRUST *, X509 *, int), 1862 char *name, int arg1, void *arg2); 1863 OPENSSL_EXPORT void X509_TRUST_cleanup(void); 1864 OPENSSL_EXPORT int X509_TRUST_get_flags(const X509_TRUST *xp); 1865 OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp); 1866 OPENSSL_EXPORT int X509_TRUST_get_trust(const X509_TRUST *xp); 1867 1868 1869 struct rsa_pss_params_st { 1870 X509_ALGOR *hashAlgorithm; 1871 X509_ALGOR *maskGenAlgorithm; 1872 ASN1_INTEGER *saltLength; 1873 ASN1_INTEGER *trailerField; 1874 // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the 1875 // cases apply to BoringSSL, so this is always NULL, but Node expects the 1876 // field to be present. 1877 X509_ALGOR *maskHash; 1878 } /* RSA_PSS_PARAMS */; 1879 1880 DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS) 1881 1882 /* 1883 SSL_CTX -> X509_STORE 1884 -> X509_LOOKUP 1885 ->X509_LOOKUP_METHOD 1886 -> X509_LOOKUP 1887 ->X509_LOOKUP_METHOD 1888 1889 SSL -> X509_STORE_CTX 1890 ->X509_STORE 1891 1892 The X509_STORE holds the tables etc for verification stuff. 1893 A X509_STORE_CTX is used while validating a single certificate. 1894 The X509_STORE has X509_LOOKUPs for looking up certs. 1895 The X509_STORE then calls a function to actually verify the 1896 certificate chain. 1897 */ 1898 1899 #define X509_LU_X509 1 1900 #define X509_LU_CRL 2 1901 #define X509_LU_PKEY 3 1902 1903 DEFINE_STACK_OF(X509_LOOKUP) 1904 DEFINE_STACK_OF(X509_OBJECT) 1905 DEFINE_STACK_OF(X509_VERIFY_PARAM) 1906 1907 typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); 1908 typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); 1909 typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer, X509_STORE_CTX *ctx, 1910 X509 *x); 1911 typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, X509 *x, 1912 X509 *issuer); 1913 typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); 1914 typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, X509_CRL **crl, 1915 X509 *x); 1916 typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl); 1917 typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl, 1918 X509 *x); 1919 typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx); 1920 typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx, 1921 X509_NAME *nm); 1922 typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)( 1923 X509_STORE_CTX *ctx, X509_NAME *nm); 1924 typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); 1925 1926 OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); 1927 1928 OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); 1929 1930 #define X509_STORE_CTX_set_app_data(ctx, data) \ 1931 X509_STORE_CTX_set_ex_data(ctx, 0, data) 1932 #define X509_STORE_CTX_get_app_data(ctx) X509_STORE_CTX_get_ex_data(ctx, 0) 1933 1934 #define X509_L_FILE_LOAD 1 1935 #define X509_L_ADD_DIR 2 1936 1937 #define X509_LOOKUP_load_file(x, name, type) \ 1938 X509_LOOKUP_ctrl((x), X509_L_FILE_LOAD, (name), (long)(type), NULL) 1939 1940 #define X509_LOOKUP_add_dir(x, name, type) \ 1941 X509_LOOKUP_ctrl((x), X509_L_ADD_DIR, (name), (long)(type), NULL) 1942 1943 #define X509_V_OK 0 1944 #define X509_V_ERR_UNSPECIFIED 1 1945 1946 #define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 1947 #define X509_V_ERR_UNABLE_TO_GET_CRL 3 1948 #define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 1949 #define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 1950 #define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 1951 #define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 1952 #define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 1953 #define X509_V_ERR_CERT_NOT_YET_VALID 9 1954 #define X509_V_ERR_CERT_HAS_EXPIRED 10 1955 #define X509_V_ERR_CRL_NOT_YET_VALID 11 1956 #define X509_V_ERR_CRL_HAS_EXPIRED 12 1957 #define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 1958 #define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 1959 #define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 1960 #define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 1961 #define X509_V_ERR_OUT_OF_MEM 17 1962 #define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 1963 #define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 1964 #define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 1965 #define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 1966 #define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 1967 #define X509_V_ERR_CERT_REVOKED 23 1968 #define X509_V_ERR_INVALID_CA 24 1969 #define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 1970 #define X509_V_ERR_INVALID_PURPOSE 26 1971 #define X509_V_ERR_CERT_UNTRUSTED 27 1972 #define X509_V_ERR_CERT_REJECTED 28 1973 // These are 'informational' when looking for issuer cert 1974 #define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 1975 #define X509_V_ERR_AKID_SKID_MISMATCH 30 1976 #define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 1977 #define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 1978 1979 #define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 1980 #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 1981 #define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 1982 #define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 1983 #define X509_V_ERR_INVALID_NON_CA 37 1984 #define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 1985 #define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 1986 #define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 1987 1988 #define X509_V_ERR_INVALID_EXTENSION 41 1989 #define X509_V_ERR_INVALID_POLICY_EXTENSION 42 1990 #define X509_V_ERR_NO_EXPLICIT_POLICY 43 1991 #define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 1992 #define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 1993 1994 #define X509_V_ERR_UNNESTED_RESOURCE 46 1995 1996 #define X509_V_ERR_PERMITTED_VIOLATION 47 1997 #define X509_V_ERR_EXCLUDED_VIOLATION 48 1998 #define X509_V_ERR_SUBTREE_MINMAX 49 1999 #define X509_V_ERR_APPLICATION_VERIFICATION 50 2000 #define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 2001 #define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 2002 #define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 2003 #define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 2004 2005 // Suite B mode algorithm violation 2006 #define X509_V_ERR_SUITE_B_INVALID_VERSION 56 2007 #define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57 2008 #define X509_V_ERR_SUITE_B_INVALID_CURVE 58 2009 #define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59 2010 #define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60 2011 #define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61 2012 2013 // Host, email and IP check errors 2014 #define X509_V_ERR_HOSTNAME_MISMATCH 62 2015 #define X509_V_ERR_EMAIL_MISMATCH 63 2016 #define X509_V_ERR_IP_ADDRESS_MISMATCH 64 2017 2018 // Caller error 2019 #define X509_V_ERR_INVALID_CALL 65 2020 // Issuer lookup error 2021 #define X509_V_ERR_STORE_LOOKUP 66 2022 2023 #define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 2024 2025 // Certificate verify flags 2026 2027 // Send issuer+subject checks to verify_cb 2028 #define X509_V_FLAG_CB_ISSUER_CHECK 0x1 2029 // Use check time instead of current time 2030 #define X509_V_FLAG_USE_CHECK_TIME 0x2 2031 // Lookup CRLs 2032 #define X509_V_FLAG_CRL_CHECK 0x4 2033 // Lookup CRLs for whole chain 2034 #define X509_V_FLAG_CRL_CHECK_ALL 0x8 2035 // Ignore unhandled critical extensions 2036 #define X509_V_FLAG_IGNORE_CRITICAL 0x10 2037 // Does nothing as its functionality has been enabled by default. 2038 #define X509_V_FLAG_X509_STRICT 0x00 2039 // Enable proxy certificate validation 2040 #define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 2041 // Enable policy checking 2042 #define X509_V_FLAG_POLICY_CHECK 0x80 2043 // Policy variable require-explicit-policy 2044 #define X509_V_FLAG_EXPLICIT_POLICY 0x100 2045 // Policy variable inhibit-any-policy 2046 #define X509_V_FLAG_INHIBIT_ANY 0x200 2047 // Policy variable inhibit-policy-mapping 2048 #define X509_V_FLAG_INHIBIT_MAP 0x400 2049 // Notify callback that policy is OK 2050 #define X509_V_FLAG_NOTIFY_POLICY 0x800 2051 // Extended CRL features such as indirect CRLs, alternate CRL signing keys 2052 #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 2053 // Delta CRL support 2054 #define X509_V_FLAG_USE_DELTAS 0x2000 2055 // Check selfsigned CA signature 2056 #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 2057 // Use trusted store first 2058 #define X509_V_FLAG_TRUSTED_FIRST 0x8000 2059 // Suite B 128 bit only mode: not normally used 2060 #define X509_V_FLAG_SUITEB_128_LOS_ONLY 0x10000 2061 // Suite B 192 bit only mode 2062 #define X509_V_FLAG_SUITEB_192_LOS 0x20000 2063 // Suite B 128 bit mode allowing 192 bit algorithms 2064 #define X509_V_FLAG_SUITEB_128_LOS 0x30000 2065 2066 // Allow partial chains if at least one certificate is in trusted store 2067 #define X509_V_FLAG_PARTIAL_CHAIN 0x80000 2068 2069 // If the initial chain is not trusted, do not attempt to build an alternative 2070 // chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag 2071 // will force the behaviour to match that of previous versions. 2072 #define X509_V_FLAG_NO_ALT_CHAINS 0x100000 2073 2074 #define X509_VP_FLAG_DEFAULT 0x1 2075 #define X509_VP_FLAG_OVERWRITE 0x2 2076 #define X509_VP_FLAG_RESET_FLAGS 0x4 2077 #define X509_VP_FLAG_LOCKED 0x8 2078 #define X509_VP_FLAG_ONCE 0x10 2079 2080 // Internal use: mask of policy related options 2081 #define X509_V_FLAG_POLICY_MASK \ 2082 (X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY | \ 2083 X509_V_FLAG_INHIBIT_ANY | X509_V_FLAG_INHIBIT_MAP) 2084 2085 OPENSSL_EXPORT int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, 2086 int type, X509_NAME *name); 2087 OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_retrieve_by_subject( 2088 STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); 2089 OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, 2090 X509_OBJECT *x); 2091 OPENSSL_EXPORT int X509_OBJECT_up_ref_count(X509_OBJECT *a); 2092 OPENSSL_EXPORT void X509_OBJECT_free_contents(X509_OBJECT *a); 2093 OPENSSL_EXPORT int X509_OBJECT_get_type(const X509_OBJECT *a); 2094 OPENSSL_EXPORT X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a); 2095 OPENSSL_EXPORT X509_STORE *X509_STORE_new(void); 2096 OPENSSL_EXPORT int X509_STORE_up_ref(X509_STORE *store); 2097 OPENSSL_EXPORT void X509_STORE_free(X509_STORE *v); 2098 2099 OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st); 2100 OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *st, 2101 X509_NAME *nm); 2102 OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *st, 2103 X509_NAME *nm); 2104 OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags); 2105 OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); 2106 OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *ctx, int trust); 2107 OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *ctx, 2108 X509_VERIFY_PARAM *pm); 2109 OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx); 2110 2111 OPENSSL_EXPORT void X509_STORE_set_verify(X509_STORE *ctx, 2112 X509_STORE_CTX_verify_fn verify); 2113 #define X509_STORE_set_verify_func(ctx, func) \ 2114 X509_STORE_set_verify((ctx), (func)) 2115 OPENSSL_EXPORT void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, 2116 X509_STORE_CTX_verify_fn verify); 2117 OPENSSL_EXPORT X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx); 2118 OPENSSL_EXPORT void X509_STORE_set_verify_cb( 2119 X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); 2120 #define X509_STORE_set_verify_cb_func(ctx, func) \ 2121 X509_STORE_set_verify_cb((ctx), (func)) 2122 OPENSSL_EXPORT X509_STORE_CTX_verify_cb 2123 X509_STORE_get_verify_cb(X509_STORE *ctx); 2124 OPENSSL_EXPORT void X509_STORE_set_get_issuer( 2125 X509_STORE *ctx, X509_STORE_CTX_get_issuer_fn get_issuer); 2126 OPENSSL_EXPORT X509_STORE_CTX_get_issuer_fn 2127 X509_STORE_get_get_issuer(X509_STORE *ctx); 2128 OPENSSL_EXPORT void X509_STORE_set_check_issued( 2129 X509_STORE *ctx, X509_STORE_CTX_check_issued_fn check_issued); 2130 OPENSSL_EXPORT X509_STORE_CTX_check_issued_fn 2131 X509_STORE_get_check_issued(X509_STORE *ctx); 2132 OPENSSL_EXPORT void X509_STORE_set_check_revocation( 2133 X509_STORE *ctx, X509_STORE_CTX_check_revocation_fn check_revocation); 2134 OPENSSL_EXPORT X509_STORE_CTX_check_revocation_fn 2135 X509_STORE_get_check_revocation(X509_STORE *ctx); 2136 OPENSSL_EXPORT void X509_STORE_set_get_crl(X509_STORE *ctx, 2137 X509_STORE_CTX_get_crl_fn get_crl); 2138 OPENSSL_EXPORT X509_STORE_CTX_get_crl_fn 2139 X509_STORE_get_get_crl(X509_STORE *ctx); 2140 OPENSSL_EXPORT void X509_STORE_set_check_crl( 2141 X509_STORE *ctx, X509_STORE_CTX_check_crl_fn check_crl); 2142 OPENSSL_EXPORT X509_STORE_CTX_check_crl_fn 2143 X509_STORE_get_check_crl(X509_STORE *ctx); 2144 OPENSSL_EXPORT void X509_STORE_set_cert_crl( 2145 X509_STORE *ctx, X509_STORE_CTX_cert_crl_fn cert_crl); 2146 OPENSSL_EXPORT X509_STORE_CTX_cert_crl_fn 2147 X509_STORE_get_cert_crl(X509_STORE *ctx); 2148 OPENSSL_EXPORT void X509_STORE_set_lookup_certs( 2149 X509_STORE *ctx, X509_STORE_CTX_lookup_certs_fn lookup_certs); 2150 OPENSSL_EXPORT X509_STORE_CTX_lookup_certs_fn 2151 X509_STORE_get_lookup_certs(X509_STORE *ctx); 2152 OPENSSL_EXPORT void X509_STORE_set_lookup_crls( 2153 X509_STORE *ctx, X509_STORE_CTX_lookup_crls_fn lookup_crls); 2154 #define X509_STORE_set_lookup_crls_cb(ctx, func) \ 2155 X509_STORE_set_lookup_crls((ctx), (func)) 2156 OPENSSL_EXPORT X509_STORE_CTX_lookup_crls_fn 2157 X509_STORE_get_lookup_crls(X509_STORE *ctx); 2158 OPENSSL_EXPORT void X509_STORE_set_cleanup(X509_STORE *ctx, 2159 X509_STORE_CTX_cleanup_fn cleanup); 2160 OPENSSL_EXPORT X509_STORE_CTX_cleanup_fn 2161 X509_STORE_get_cleanup(X509_STORE *ctx); 2162 2163 OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void); 2164 2165 OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **issuer, 2166 X509_STORE_CTX *ctx, X509 *x); 2167 2168 OPENSSL_EXPORT void X509_STORE_CTX_zero(X509_STORE_CTX *ctx); 2169 OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx); 2170 OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, 2171 X509 *x509, STACK_OF(X509) *chain); 2172 OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, 2173 STACK_OF(X509) *sk); 2174 OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); 2175 2176 OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx); 2177 OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx); 2178 2179 OPENSSL_EXPORT X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, 2180 X509_LOOKUP_METHOD *m); 2181 2182 OPENSSL_EXPORT X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); 2183 OPENSSL_EXPORT X509_LOOKUP_METHOD *X509_LOOKUP_file(void); 2184 2185 OPENSSL_EXPORT int X509_STORE_add_cert(X509_STORE *ctx, X509 *x); 2186 OPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); 2187 2188 OPENSSL_EXPORT int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, 2189 X509_NAME *name, X509_OBJECT *ret); 2190 2191 OPENSSL_EXPORT int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, 2192 long argl, char **ret); 2193 2194 #ifndef OPENSSL_NO_STDIO 2195 OPENSSL_EXPORT int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, 2196 int type); 2197 OPENSSL_EXPORT int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, 2198 int type); 2199 OPENSSL_EXPORT int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, 2200 int type); 2201 #endif 2202 2203 OPENSSL_EXPORT X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method); 2204 OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx); 2205 OPENSSL_EXPORT int X509_LOOKUP_init(X509_LOOKUP *ctx); 2206 OPENSSL_EXPORT int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, 2207 X509_NAME *name, X509_OBJECT *ret); 2208 OPENSSL_EXPORT int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, 2209 X509_NAME *name, 2210 ASN1_INTEGER *serial, 2211 X509_OBJECT *ret); 2212 OPENSSL_EXPORT int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, 2213 unsigned char *bytes, int len, 2214 X509_OBJECT *ret); 2215 OPENSSL_EXPORT int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, 2216 int len, X509_OBJECT *ret); 2217 OPENSSL_EXPORT int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); 2218 2219 #ifndef OPENSSL_NO_STDIO 2220 OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *ctx, const char *file, 2221 const char *dir); 2222 OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *ctx); 2223 #endif 2224 2225 OPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, 2226 CRYPTO_EX_unused *unused, 2227 CRYPTO_EX_dup *dup_unused, 2228 CRYPTO_EX_free *free_func); 2229 OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, 2230 void *data); 2231 OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx); 2232 OPENSSL_EXPORT int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); 2233 OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); 2234 OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); 2235 OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); 2236 OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx); 2237 OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx); 2238 OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx( 2239 X509_STORE_CTX *ctx); 2240 OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); 2241 OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); 2242 OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); 2243 OPENSSL_EXPORT void X509_STORE_CTX_set_cert(X509_STORE_CTX *c, X509 *x); 2244 OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *c, 2245 STACK_OF(X509) *sk); 2246 OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( 2247 X509_STORE_CTX *ctx); 2248 OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, 2249 STACK_OF(X509_CRL) *sk); 2250 OPENSSL_EXPORT int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); 2251 OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); 2252 OPENSSL_EXPORT int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, 2253 int def_purpose, int purpose, 2254 int trust); 2255 OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, 2256 unsigned long flags); 2257 OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, 2258 unsigned long flags, time_t t); 2259 OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb( 2260 X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)); 2261 2262 OPENSSL_EXPORT X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree( 2263 X509_STORE_CTX *ctx); 2264 OPENSSL_EXPORT int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx); 2265 2266 OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( 2267 X509_STORE_CTX *ctx); 2268 OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, 2269 X509_VERIFY_PARAM *param); 2270 OPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, 2271 const char *name); 2272 2273 // X509_VERIFY_PARAM functions 2274 2275 OPENSSL_EXPORT X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); 2276 OPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); 2277 OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, 2278 const X509_VERIFY_PARAM *from); 2279 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, 2280 const X509_VERIFY_PARAM *from); 2281 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, 2282 const char *name); 2283 OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, 2284 unsigned long flags); 2285 OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, 2286 unsigned long flags); 2287 OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( 2288 X509_VERIFY_PARAM *param); 2289 OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, 2290 int purpose); 2291 OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, 2292 int trust); 2293 OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, 2294 int depth); 2295 OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, 2296 time_t t); 2297 OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, 2298 ASN1_OBJECT *policy); 2299 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( 2300 X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies); 2301 2302 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, 2303 const char *name, 2304 size_t namelen); 2305 OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, 2306 const char *name, 2307 size_t namelen); 2308 OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, 2309 unsigned int flags); 2310 OPENSSL_EXPORT char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *); 2311 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, 2312 const char *email, 2313 size_t emaillen); 2314 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, 2315 const unsigned char *ip, 2316 size_t iplen); 2317 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, 2318 const char *ipasc); 2319 2320 OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); 2321 OPENSSL_EXPORT const char *X509_VERIFY_PARAM_get0_name( 2322 const X509_VERIFY_PARAM *param); 2323 2324 OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param); 2325 OPENSSL_EXPORT int X509_VERIFY_PARAM_get_count(void); 2326 OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id); 2327 OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup( 2328 const char *name); 2329 OPENSSL_EXPORT void X509_VERIFY_PARAM_table_cleanup(void); 2330 2331 OPENSSL_EXPORT int X509_policy_check(X509_POLICY_TREE **ptree, 2332 int *pexplicit_policy, 2333 STACK_OF(X509) *certs, 2334 STACK_OF(ASN1_OBJECT) *policy_oids, 2335 unsigned int flags); 2336 2337 OPENSSL_EXPORT void X509_policy_tree_free(X509_POLICY_TREE *tree); 2338 2339 OPENSSL_EXPORT int X509_policy_tree_level_count(const X509_POLICY_TREE *tree); 2340 OPENSSL_EXPORT X509_POLICY_LEVEL *X509_policy_tree_get0_level( 2341 const X509_POLICY_TREE *tree, int i); 2342 2343 OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies( 2344 const X509_POLICY_TREE *tree); 2345 2346 OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies( 2347 const X509_POLICY_TREE *tree); 2348 2349 OPENSSL_EXPORT int X509_policy_level_node_count(X509_POLICY_LEVEL *level); 2350 2351 OPENSSL_EXPORT X509_POLICY_NODE *X509_policy_level_get0_node( 2352 X509_POLICY_LEVEL *level, int i); 2353 2354 OPENSSL_EXPORT const ASN1_OBJECT *X509_policy_node_get0_policy( 2355 const X509_POLICY_NODE *node); 2356 2357 OPENSSL_EXPORT STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers( 2358 const X509_POLICY_NODE *node); 2359 OPENSSL_EXPORT const X509_POLICY_NODE *X509_policy_node_get0_parent( 2360 const X509_POLICY_NODE *node); 2361 2362 2363 #if defined(__cplusplus) 2364 } // extern C 2365 #endif 2366 2367 #if !defined(BORINGSSL_NO_CXX) 2368 extern "C++" { 2369 2370 BSSL_NAMESPACE_BEGIN 2371 2372 BORINGSSL_MAKE_DELETER(NETSCAPE_SPKI, NETSCAPE_SPKI_free) 2373 BORINGSSL_MAKE_DELETER(RSA_PSS_PARAMS, RSA_PSS_PARAMS_free) 2374 BORINGSSL_MAKE_DELETER(X509, X509_free) 2375 BORINGSSL_MAKE_UP_REF(X509, X509_up_ref) 2376 BORINGSSL_MAKE_DELETER(X509_ALGOR, X509_ALGOR_free) 2377 BORINGSSL_MAKE_DELETER(X509_ATTRIBUTE, X509_ATTRIBUTE_free) 2378 BORINGSSL_MAKE_DELETER(X509_CRL, X509_CRL_free) 2379 BORINGSSL_MAKE_UP_REF(X509_CRL, X509_CRL_up_ref) 2380 BORINGSSL_MAKE_DELETER(X509_EXTENSION, X509_EXTENSION_free) 2381 BORINGSSL_MAKE_DELETER(X509_INFO, X509_INFO_free) 2382 BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free) 2383 BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free) 2384 BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free) 2385 BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free) 2386 BORINGSSL_MAKE_DELETER(X509_POLICY_TREE, X509_policy_tree_free) 2387 BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free) 2388 BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free) 2389 BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free) 2390 BORINGSSL_MAKE_DELETER(X509_SIG, X509_SIG_free) 2391 BORINGSSL_MAKE_DELETER(X509_STORE, X509_STORE_free) 2392 BORINGSSL_MAKE_UP_REF(X509_STORE, X509_STORE_up_ref) 2393 BORINGSSL_MAKE_DELETER(X509_STORE_CTX, X509_STORE_CTX_free) 2394 BORINGSSL_MAKE_DELETER(X509_VERIFY_PARAM, X509_VERIFY_PARAM_free) 2395 2396 BSSL_NAMESPACE_END 2397 2398 } // extern C++ 2399 #endif // !BORINGSSL_NO_CXX 2400 2401 #define X509_R_AKID_MISMATCH 100 2402 #define X509_R_BAD_PKCS7_VERSION 101 2403 #define X509_R_BAD_X509_FILETYPE 102 2404 #define X509_R_BASE64_DECODE_ERROR 103 2405 #define X509_R_CANT_CHECK_DH_KEY 104 2406 #define X509_R_CERT_ALREADY_IN_HASH_TABLE 105 2407 #define X509_R_CRL_ALREADY_DELTA 106 2408 #define X509_R_CRL_VERIFY_FAILURE 107 2409 #define X509_R_IDP_MISMATCH 108 2410 #define X509_R_INVALID_BIT_STRING_BITS_LEFT 109 2411 #define X509_R_INVALID_DIRECTORY 110 2412 #define X509_R_INVALID_FIELD_NAME 111 2413 #define X509_R_INVALID_PSS_PARAMETERS 112 2414 #define X509_R_INVALID_TRUST 113 2415 #define X509_R_ISSUER_MISMATCH 114 2416 #define X509_R_KEY_TYPE_MISMATCH 115 2417 #define X509_R_KEY_VALUES_MISMATCH 116 2418 #define X509_R_LOADING_CERT_DIR 117 2419 #define X509_R_LOADING_DEFAULTS 118 2420 #define X509_R_NEWER_CRL_NOT_NEWER 119 2421 #define X509_R_NOT_PKCS7_SIGNED_DATA 120 2422 #define X509_R_NO_CERTIFICATES_INCLUDED 121 2423 #define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 122 2424 #define X509_R_NO_CRLS_INCLUDED 123 2425 #define X509_R_NO_CRL_NUMBER 124 2426 #define X509_R_PUBLIC_KEY_DECODE_ERROR 125 2427 #define X509_R_PUBLIC_KEY_ENCODE_ERROR 126 2428 #define X509_R_SHOULD_RETRY 127 2429 #define X509_R_UNKNOWN_KEY_TYPE 128 2430 #define X509_R_UNKNOWN_NID 129 2431 #define X509_R_UNKNOWN_PURPOSE_ID 130 2432 #define X509_R_UNKNOWN_TRUST_ID 131 2433 #define X509_R_UNSUPPORTED_ALGORITHM 132 2434 #define X509_R_WRONG_LOOKUP_TYPE 133 2435 #define X509_R_WRONG_TYPE 134 2436 #define X509_R_NAME_TOO_LONG 135 2437 #define X509_R_INVALID_PARAMETER 136 2438 #define X509_R_SIGNATURE_ALGORITHM_MISMATCH 137 2439 #define X509_R_DELTA_CRL_WITHOUT_CRL_NUMBER 138 2440 #define X509_R_INVALID_FIELD_FOR_VERSION 139 2441 #define X509_R_INVALID_VERSION 140 2442 #define X509_R_NO_CERTIFICATE_FOUND 141 2443 #define X509_R_NO_CERTIFICATE_OR_CRL_FOUND 142 2444 #define X509_R_NO_CRL_FOUND 143 2445 2446 #endif 2447