1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2 * project 1999. */ 3 /* ==================================================================== 4 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in 15 * the documentation and/or other materials provided with the 16 * distribution. 17 * 18 * 3. All advertising materials mentioning features or use of this 19 * software must display the following acknowledgment: 20 * "This product includes software developed by the OpenSSL Project 21 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 22 * 23 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 24 * endorse or promote products derived from this software without 25 * prior written permission. For written permission, please contact 26 * licensing@OpenSSL.org. 27 * 28 * 5. Products derived from this software may not be called "OpenSSL" 29 * nor may "OpenSSL" appear in their names without prior written 30 * permission of the OpenSSL Project. 31 * 32 * 6. Redistributions of any form whatsoever must retain the following 33 * acknowledgment: 34 * "This product includes software developed by the OpenSSL Project 35 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 36 * 37 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 38 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 39 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 40 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 41 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 42 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 43 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 44 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 45 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 46 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 47 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 48 * OF THE POSSIBILITY OF SUCH DAMAGE. 49 * ==================================================================== 50 * 51 * This product includes cryptographic software written by Eric Young 52 * (eay@cryptsoft.com). This product includes software written by Tim 53 * Hudson (tjh@cryptsoft.com). */ 54 55 #ifndef OPENSSL_HEADER_X509V3_H 56 #define OPENSSL_HEADER_X509V3_H 57 58 #include <openssl/bio.h> 59 #include <openssl/conf.h> 60 #include <openssl/lhash.h> 61 #include <openssl/x509.h> 62 63 #if defined(__cplusplus) 64 extern "C" { 65 #endif 66 67 68 // Legacy X.509 library. 69 // 70 // This header is part of OpenSSL's X.509 implementation. It is retained for 71 // compatibility but otherwise underdocumented and not actively maintained. In 72 // the future, a replacement library will be available. Meanwhile, minimize 73 // dependencies on this header where possible. 74 75 76 // Forward reference 77 struct v3_ext_method; 78 struct v3_ext_ctx; 79 80 // Useful typedefs 81 82 typedef struct v3_ext_method X509V3_EXT_METHOD; 83 84 typedef void *(*X509V3_EXT_NEW)(void); 85 typedef void (*X509V3_EXT_FREE)(void *); 86 typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long); 87 typedef int (*X509V3_EXT_I2D)(void *, unsigned char **); 88 typedef STACK_OF(CONF_VALUE) *(*X509V3_EXT_I2V)(const X509V3_EXT_METHOD *method, 89 void *ext, 90 STACK_OF(CONF_VALUE) *extlist); 91 typedef void *(*X509V3_EXT_V2I)(const X509V3_EXT_METHOD *method, 92 const X509V3_CTX *ctx, 93 const STACK_OF(CONF_VALUE) *values); 94 typedef char *(*X509V3_EXT_I2S)(const X509V3_EXT_METHOD *method, void *ext); 95 typedef void *(*X509V3_EXT_S2I)(const X509V3_EXT_METHOD *method, 96 const X509V3_CTX *ctx, const char *str); 97 typedef int (*X509V3_EXT_I2R)(const X509V3_EXT_METHOD *method, void *ext, 98 BIO *out, int indent); 99 typedef void *(*X509V3_EXT_R2I)(const X509V3_EXT_METHOD *method, 100 const X509V3_CTX *ctx, const char *str); 101 102 // V3 extension structure 103 104 struct v3_ext_method { 105 int ext_nid; 106 int ext_flags; 107 108 // it determines how values of this extension are allocated, released, parsed, 109 // and marshalled. This must be non-NULL. 110 ASN1_ITEM_EXP *it; 111 112 // The following functions are ignored in favor of |it|. They are retained in 113 // the struct only for source compatibility with existing struct definitions. 114 X509V3_EXT_NEW ext_new; 115 X509V3_EXT_FREE ext_free; 116 X509V3_EXT_D2I d2i; 117 X509V3_EXT_I2D i2d; 118 119 // The following pair is used for string extensions 120 X509V3_EXT_I2S i2s; 121 X509V3_EXT_S2I s2i; 122 123 // The following pair is used for multi-valued extensions 124 X509V3_EXT_I2V i2v; 125 X509V3_EXT_V2I v2i; 126 127 // The following are used for raw extensions 128 X509V3_EXT_I2R i2r; 129 X509V3_EXT_R2I r2i; 130 131 void *usr_data; // Any extension specific data 132 }; 133 134 DEFINE_STACK_OF(X509V3_EXT_METHOD) 135 136 // ext_flags values 137 #define X509V3_EXT_CTX_DEP 0x2 138 #define X509V3_EXT_MULTILINE 0x4 139 140 struct BASIC_CONSTRAINTS_st { 141 int ca; 142 ASN1_INTEGER *pathlen; 143 }; 144 145 146 typedef struct otherName_st { 147 ASN1_OBJECT *type_id; 148 ASN1_TYPE *value; 149 } OTHERNAME; 150 151 typedef struct EDIPartyName_st { 152 ASN1_STRING *nameAssigner; 153 ASN1_STRING *partyName; 154 } EDIPARTYNAME; 155 156 typedef struct GENERAL_NAME_st { 157 #define GEN_OTHERNAME 0 158 #define GEN_EMAIL 1 159 #define GEN_DNS 2 160 #define GEN_X400 3 161 #define GEN_DIRNAME 4 162 #define GEN_EDIPARTY 5 163 #define GEN_URI 6 164 #define GEN_IPADD 7 165 #define GEN_RID 8 166 167 int type; 168 union { 169 char *ptr; 170 OTHERNAME *otherName; // otherName 171 ASN1_IA5STRING *rfc822Name; 172 ASN1_IA5STRING *dNSName; 173 ASN1_STRING *x400Address; 174 X509_NAME *directoryName; 175 EDIPARTYNAME *ediPartyName; 176 ASN1_IA5STRING *uniformResourceIdentifier; 177 ASN1_OCTET_STRING *iPAddress; 178 ASN1_OBJECT *registeredID; 179 180 // Old names 181 ASN1_OCTET_STRING *ip; // iPAddress 182 X509_NAME *dirn; // dirn 183 ASN1_IA5STRING *ia5; // rfc822Name, dNSName, uniformResourceIdentifier 184 ASN1_OBJECT *rid; // registeredID 185 } d; 186 } GENERAL_NAME; 187 188 DEFINE_STACK_OF(GENERAL_NAME) 189 190 typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; 191 192 DEFINE_STACK_OF(GENERAL_NAMES) 193 194 typedef struct ACCESS_DESCRIPTION_st { 195 ASN1_OBJECT *method; 196 GENERAL_NAME *location; 197 } ACCESS_DESCRIPTION; 198 199 DEFINE_STACK_OF(ACCESS_DESCRIPTION) 200 201 typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; 202 203 typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE; 204 205 typedef struct DIST_POINT_NAME_st { 206 int type; 207 union { 208 GENERAL_NAMES *fullname; 209 STACK_OF(X509_NAME_ENTRY) *relativename; 210 } name; 211 // If relativename then this contains the full distribution point name 212 X509_NAME *dpname; 213 } DIST_POINT_NAME; 214 // All existing reasons 215 #define CRLDP_ALL_REASONS 0x807f 216 217 #define CRL_REASON_NONE (-1) 218 #define CRL_REASON_UNSPECIFIED 0 219 #define CRL_REASON_KEY_COMPROMISE 1 220 #define CRL_REASON_CA_COMPROMISE 2 221 #define CRL_REASON_AFFILIATION_CHANGED 3 222 #define CRL_REASON_SUPERSEDED 4 223 #define CRL_REASON_CESSATION_OF_OPERATION 5 224 #define CRL_REASON_CERTIFICATE_HOLD 6 225 #define CRL_REASON_REMOVE_FROM_CRL 8 226 #define CRL_REASON_PRIVILEGE_WITHDRAWN 9 227 #define CRL_REASON_AA_COMPROMISE 10 228 229 struct DIST_POINT_st { 230 DIST_POINT_NAME *distpoint; 231 ASN1_BIT_STRING *reasons; 232 GENERAL_NAMES *CRLissuer; 233 int dp_reasons; 234 }; 235 236 typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; 237 238 DEFINE_STACK_OF(DIST_POINT) 239 240 struct AUTHORITY_KEYID_st { 241 ASN1_OCTET_STRING *keyid; 242 GENERAL_NAMES *issuer; 243 ASN1_INTEGER *serial; 244 }; 245 246 typedef struct NOTICEREF_st { 247 ASN1_STRING *organization; 248 STACK_OF(ASN1_INTEGER) *noticenos; 249 } NOTICEREF; 250 251 typedef struct USERNOTICE_st { 252 NOTICEREF *noticeref; 253 ASN1_STRING *exptext; 254 } USERNOTICE; 255 256 typedef struct POLICYQUALINFO_st { 257 ASN1_OBJECT *pqualid; 258 union { 259 ASN1_IA5STRING *cpsuri; 260 USERNOTICE *usernotice; 261 ASN1_TYPE *other; 262 } d; 263 } POLICYQUALINFO; 264 265 DEFINE_STACK_OF(POLICYQUALINFO) 266 267 typedef struct POLICYINFO_st { 268 ASN1_OBJECT *policyid; 269 STACK_OF(POLICYQUALINFO) *qualifiers; 270 } POLICYINFO; 271 272 typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; 273 274 DEFINE_STACK_OF(POLICYINFO) 275 276 typedef struct POLICY_MAPPING_st { 277 ASN1_OBJECT *issuerDomainPolicy; 278 ASN1_OBJECT *subjectDomainPolicy; 279 } POLICY_MAPPING; 280 281 DEFINE_STACK_OF(POLICY_MAPPING) 282 283 typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS; 284 285 typedef struct GENERAL_SUBTREE_st { 286 GENERAL_NAME *base; 287 ASN1_INTEGER *minimum; 288 ASN1_INTEGER *maximum; 289 } GENERAL_SUBTREE; 290 291 DEFINE_STACK_OF(GENERAL_SUBTREE) 292 293 struct NAME_CONSTRAINTS_st { 294 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; 295 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees; 296 }; 297 298 typedef struct POLICY_CONSTRAINTS_st { 299 ASN1_INTEGER *requireExplicitPolicy; 300 ASN1_INTEGER *inhibitPolicyMapping; 301 } POLICY_CONSTRAINTS; 302 303 struct ISSUING_DIST_POINT_st { 304 DIST_POINT_NAME *distpoint; 305 int onlyuser; 306 int onlyCA; 307 ASN1_BIT_STRING *onlysomereasons; 308 int indirectCRL; 309 int onlyattr; 310 }; 311 312 // Values in idp_flags field 313 // IDP present 314 #define IDP_PRESENT 0x1 315 // IDP values inconsistent 316 #define IDP_INVALID 0x2 317 // onlyuser true 318 #define IDP_ONLYUSER 0x4 319 // onlyCA true 320 #define IDP_ONLYCA 0x8 321 // onlyattr true 322 #define IDP_ONLYATTR 0x10 323 // indirectCRL true 324 #define IDP_INDIRECT 0x20 325 // onlysomereasons present 326 #define IDP_REASONS 0x40 327 328 329 330 // X509_PURPOSE stuff 331 332 #define EXFLAG_BCONS 0x1 333 #define EXFLAG_KUSAGE 0x2 334 #define EXFLAG_XKUSAGE 0x4 335 #define EXFLAG_NSCERT 0x8 336 337 #define EXFLAG_CA 0x10 338 // Really self issued not necessarily self signed 339 #define EXFLAG_SI 0x20 340 #define EXFLAG_V1 0x40 341 #define EXFLAG_INVALID 0x80 342 #define EXFLAG_SET 0x100 343 #define EXFLAG_CRITICAL 0x200 344 345 #define EXFLAG_FRESHEST 0x1000 346 // Self signed 347 #define EXFLAG_SS 0x2000 348 349 #define KU_DIGITAL_SIGNATURE 0x0080 350 #define KU_NON_REPUDIATION 0x0040 351 #define KU_KEY_ENCIPHERMENT 0x0020 352 #define KU_DATA_ENCIPHERMENT 0x0010 353 #define KU_KEY_AGREEMENT 0x0008 354 #define KU_KEY_CERT_SIGN 0x0004 355 #define KU_CRL_SIGN 0x0002 356 #define KU_ENCIPHER_ONLY 0x0001 357 #define KU_DECIPHER_ONLY 0x8000 358 359 #define NS_SSL_CLIENT 0x80 360 #define NS_SSL_SERVER 0x40 361 #define NS_SMIME 0x20 362 #define NS_OBJSIGN 0x10 363 #define NS_SSL_CA 0x04 364 #define NS_SMIME_CA 0x02 365 #define NS_OBJSIGN_CA 0x01 366 #define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA) 367 368 #define XKU_SSL_SERVER 0x1 369 #define XKU_SSL_CLIENT 0x2 370 #define XKU_SMIME 0x4 371 #define XKU_CODE_SIGN 0x8 372 #define XKU_SGC 0x10 373 #define XKU_OCSP_SIGN 0x20 374 #define XKU_TIMESTAMP 0x40 375 #define XKU_DVCS 0x80 376 #define XKU_ANYEKU 0x100 377 378 #define X509_PURPOSE_DYNAMIC 0x1 379 #define X509_PURPOSE_DYNAMIC_NAME 0x2 380 381 typedef struct x509_purpose_st { 382 int purpose; 383 int trust; // Default trust ID 384 int flags; 385 int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int); 386 char *name; 387 char *sname; 388 void *usr_data; 389 } X509_PURPOSE; 390 391 #define X509_PURPOSE_SSL_CLIENT 1 392 #define X509_PURPOSE_SSL_SERVER 2 393 #define X509_PURPOSE_NS_SSL_SERVER 3 394 #define X509_PURPOSE_SMIME_SIGN 4 395 #define X509_PURPOSE_SMIME_ENCRYPT 5 396 #define X509_PURPOSE_CRL_SIGN 6 397 #define X509_PURPOSE_ANY 7 398 #define X509_PURPOSE_OCSP_HELPER 8 399 #define X509_PURPOSE_TIMESTAMP_SIGN 9 400 401 #define X509_PURPOSE_MIN 1 402 #define X509_PURPOSE_MAX 9 403 404 DEFINE_STACK_OF(X509_PURPOSE) 405 406 DECLARE_ASN1_FUNCTIONS_const(BASIC_CONSTRAINTS) 407 408 // TODO(https://crbug.com/boringssl/407): This is not const because it contains 409 // an |X509_NAME|. 410 DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID) 411 412 // TODO(https://crbug.com/boringssl/407): This is not const because it contains 413 // an |X509_NAME|. 414 DECLARE_ASN1_FUNCTIONS(GENERAL_NAME) 415 OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a); 416 417 // i2v_GENERAL_NAME serializes |gen| as a |CONF_VALUE|. If |ret| is non-NULL, it 418 // appends the value to |ret| and returns |ret| on success or NULL on error. If 419 // it returns NULL, the caller is still responsible for freeing |ret|. If |ret| 420 // is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| containing the 421 // result. |method| is ignored. 422 // 423 // Do not use this function. This is an internal implementation detail of the 424 // human-readable print functions. If extracting a SAN list from a certificate, 425 // look at |gen| directly. 426 OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME( 427 const X509V3_EXT_METHOD *method, const GENERAL_NAME *gen, 428 STACK_OF(CONF_VALUE) *ret); 429 430 // GENERAL_NAME_print prints a human-readable representation of |gen| to |out|. 431 // It returns one on success and zero on error. 432 // 433 // TODO(davidben): Actually, it just returns one and doesn't check for I/O or 434 // allocation errors. But it should return zero on error. 435 OPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, const GENERAL_NAME *gen); 436 437 // TODO(https://crbug.com/boringssl/407): This is not const because it contains 438 // an |X509_NAME|. 439 DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES) 440 441 // i2v_GENERAL_NAMES serializes |gen| as a list of |CONF_VALUE|s. If |ret| is 442 // non-NULL, it appends the values to |ret| and returns |ret| on success or NULL 443 // on error. If it returns NULL, the caller is still responsible for freeing 444 // |ret|. If |ret| is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| 445 // containing the results. |method| is ignored. 446 // 447 // Do not use this function. This is an internal implementation detail of the 448 // human-readable print functions. If extracting a SAN list from a certificate, 449 // look at |gen| directly. 450 OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES( 451 const X509V3_EXT_METHOD *method, const GENERAL_NAMES *gen, 452 STACK_OF(CONF_VALUE) *extlist); 453 OPENSSL_EXPORT GENERAL_NAMES *v2i_GENERAL_NAMES( 454 const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, 455 const STACK_OF(CONF_VALUE) *nval); 456 457 DECLARE_ASN1_FUNCTIONS_const(OTHERNAME) 458 DECLARE_ASN1_FUNCTIONS_const(EDIPARTYNAME) 459 OPENSSL_EXPORT void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, 460 void *value); 461 OPENSSL_EXPORT void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype); 462 OPENSSL_EXPORT int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, 463 ASN1_OBJECT *oid, 464 ASN1_TYPE *value); 465 OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, 466 ASN1_OBJECT **poid, 467 ASN1_TYPE **pvalue); 468 469 // i2s_ASN1_OCTET_STRING returns a human-readable representation of |oct| as a 470 // newly-allocated, NUL-terminated string, or NULL on error. |method| is 471 // ignored. The caller must release the result with |OPENSSL_free| when done. 472 OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method, 473 const ASN1_OCTET_STRING *oct); 474 475 OPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING( 476 const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *str); 477 478 DECLARE_ASN1_FUNCTIONS_const(EXTENDED_KEY_USAGE) 479 OPENSSL_EXPORT int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a); 480 481 DECLARE_ASN1_FUNCTIONS_const(CERTIFICATEPOLICIES) 482 DECLARE_ASN1_FUNCTIONS_const(POLICYINFO) 483 DECLARE_ASN1_FUNCTIONS_const(POLICYQUALINFO) 484 DECLARE_ASN1_FUNCTIONS_const(USERNOTICE) 485 DECLARE_ASN1_FUNCTIONS_const(NOTICEREF) 486 487 // TODO(https://crbug.com/boringssl/407): This is not const because it contains 488 // an |X509_NAME|. 489 DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS) 490 // TODO(https://crbug.com/boringssl/407): This is not const because it contains 491 // an |X509_NAME|. 492 DECLARE_ASN1_FUNCTIONS(DIST_POINT) 493 // TODO(https://crbug.com/boringssl/407): This is not const because it contains 494 // an |X509_NAME|. 495 DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME) 496 // TODO(https://crbug.com/boringssl/407): This is not const because it contains 497 // an |X509_NAME|. 498 DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT) 499 500 OPENSSL_EXPORT int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, 501 X509_NAME *iname); 502 503 OPENSSL_EXPORT int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc); 504 505 // TODO(https://crbug.com/boringssl/407): This is not const because it contains 506 // an |X509_NAME|. 507 DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) 508 // TODO(https://crbug.com/boringssl/407): This is not const because it contains 509 // an |X509_NAME|. 510 DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS) 511 512 DECLARE_ASN1_ITEM(POLICY_MAPPING) 513 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING) 514 DECLARE_ASN1_ITEM(POLICY_MAPPINGS) 515 516 DECLARE_ASN1_ITEM(GENERAL_SUBTREE) 517 DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) 518 519 DECLARE_ASN1_ITEM(NAME_CONSTRAINTS) 520 DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) 521 522 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) 523 DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) 524 525 OPENSSL_EXPORT GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, 526 const X509V3_EXT_METHOD *method, 527 const X509V3_CTX *ctx, int gen_type, 528 const char *value, int is_nc); 529 530 OPENSSL_EXPORT GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, 531 const X509V3_CTX *ctx, 532 const CONF_VALUE *cnf); 533 OPENSSL_EXPORT GENERAL_NAME *v2i_GENERAL_NAME_ex( 534 GENERAL_NAME *out, const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, 535 const CONF_VALUE *cnf, int is_nc); 536 OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val); 537 538 539 // Deprecated config-based extension creation. 540 // 541 // The following functions allow specifying X.509 extensions using OpenSSL's 542 // config file syntax, from the OpenSSL command-line tool. They are retained, 543 // for now, for compatibility with legacy software but may be removed in the 544 // future. Construct the extensions using the typed C APIs instead. 545 // 546 // Callers should especially avoid these functions if passing in non-constant 547 // values. They use ad-hoc, string-based formats which are prone to injection 548 // vulnerabilities. For a CA, this means using them risks misissuance. 549 // 550 // These functions are not safe to use with untrusted inputs. The string formats 551 // may implicitly reference context information and, in OpenSSL (though not 552 // BoringSSL), one even allows reading arbitrary files. They additionally see 553 // much less testing and review than most of the library and may have bugs 554 // including memory leaks or crashes. 555 556 // v3_ext_ctx, aka |X509V3_CTX|, contains additional context information for 557 // constructing extensions. Some string formats reference additional values in 558 // these objects. It must be initialized with |X509V3_set_ctx| or 559 // |X509V3_set_ctx_test| before use. 560 struct v3_ext_ctx { 561 int flags; 562 const X509 *issuer_cert; 563 const X509 *subject_cert; 564 const X509_REQ *subject_req; 565 const X509_CRL *crl; 566 const CONF *db; 567 }; 568 569 #define X509V3_CTX_TEST 0x1 570 571 // X509V3_set_ctx initializes |ctx| with the specified objects. Some string 572 // formats will reference fields in these objects. Each object may be NULL to 573 // omit it, in which case those formats cannot be used. |flags| should be zero, 574 // unless called via |X509V3_set_ctx_test|. 575 // 576 // |issuer|, |subject|, |req|, and |crl|, if non-NULL, must outlive |ctx|. 577 OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, 578 const X509 *subject, const X509_REQ *req, 579 const X509_CRL *crl, int flags); 580 581 // X509V3_set_ctx_test calls |X509V3_set_ctx| without any reference objects and 582 // mocks out some features that use them. The resulting extensions may be 583 // incomplete and should be discarded. This can be used to partially validate 584 // syntax. 585 // 586 // TODO(davidben): Can we remove this? 587 #define X509V3_set_ctx_test(ctx) \ 588 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST) 589 590 // X509V3_set_nconf sets |ctx| to use |conf| as the config database. |ctx| must 591 // have previously been initialized by |X509V3_set_ctx| or 592 // |X509V3_set_ctx_test|. Some string formats will reference sections in |conf|. 593 // |conf| may be NULL, in which case these formats cannot be used. If non-NULL, 594 // |conf| must outlive |ctx|. 595 OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf); 596 597 // X509V3_set_ctx_nodb calls |X509V3_set_nconf| with no config database. 598 #define X509V3_set_ctx_nodb(ctx) X509V3_set_nconf(ctx, NULL) 599 600 // X509V3_EXT_nconf constructs an extension of type specified by |name|, and 601 // value specified by |value|. It returns a newly-allocated |X509_EXTENSION| 602 // object on success, or NULL on error. |conf| and |ctx| specify additional 603 // information referenced by some formats. Either |conf| or |ctx| may be NULL, 604 // in which case features which use it will be disabled. 605 // 606 // If non-NULL, |ctx| must be initialized with |X509V3_set_ctx| or 607 // |X509V3_set_ctx_test|. 608 // 609 // Both |conf| and |ctx| provide a |CONF| object. When |ctx| is non-NULL, most 610 // features use the |ctx| copy, configured with |X509V3_set_ctx|, but some use 611 // |conf|. Callers should ensure the two match to avoid surprisingly behavior. 612 OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, 613 const X509V3_CTX *ctx, 614 const char *name, 615 const char *value); 616 617 // X509V3_EXT_nconf_nid behaves like |X509V3_EXT_nconf|, except the extension 618 // type is specified as a NID. 619 OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf, 620 const X509V3_CTX *ctx, 621 int ext_nid, 622 const char *value); 623 624 // X509V3_EXT_conf_nid calls |X509V3_EXT_nconf_nid|. |conf| must be NULL. 625 // 626 // TODO(davidben): This is the only exposed instance of an LHASH in our public 627 // headers. cryptography.io wraps this function so we cannot, yet, replace the 628 // type with a dummy struct. 629 OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, 630 const X509V3_CTX *ctx, 631 int ext_nid, 632 const char *value); 633 634 // X509V3_EXT_add_nconf_sk looks up the section named |section| in |conf|. For 635 // each |CONF_VALUE| in the section, it constructs an extension as in 636 // |X509V3_EXT_nconf|, taking |name| and |value| from the |CONF_VALUE|. Each new 637 // extension is appended to |*sk|. If |*sk| is non-NULL, and at least one 638 // extension is added, it sets |*sk| to a newly-allocated 639 // |STACK_OF(X509_EXTENSION)|. It returns one on success and zero on error. 640 OPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(const CONF *conf, 641 const X509V3_CTX *ctx, 642 const char *section, 643 STACK_OF(X509_EXTENSION) **sk); 644 645 // X509V3_EXT_add_nconf adds extensions to |cert| as in 646 // |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. 647 OPENSSL_EXPORT int X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx, 648 const char *section, X509 *cert); 649 650 // X509V3_EXT_REQ_add_nconf adds extensions to |req| as in 651 // |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. 652 OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(const CONF *conf, 653 const X509V3_CTX *ctx, 654 const char *section, X509_REQ *req); 655 656 // X509V3_EXT_CRL_add_nconf adds extensions to |crl| as in 657 // |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. 658 OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(const CONF *conf, 659 const X509V3_CTX *ctx, 660 const char *section, X509_CRL *crl); 661 662 663 OPENSSL_EXPORT char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *meth, 664 const ASN1_INTEGER *aint); 665 OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *meth, 666 const char *value); 667 OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *meth, 668 const ASN1_ENUMERATED *aint); 669 670 // X509V3_EXT_add registers |ext| as a custom extension for the extension type 671 // |ext->ext_nid|. |ext| must be valid for the remainder of the address space's 672 // lifetime. It returns one on success and zero on error. 673 // 674 // WARNING: This function modifies global state. If other code in the same 675 // address space also registers an extension with type |ext->ext_nid|, the two 676 // registrations will conflict. Which registration takes effect is undefined. If 677 // the two registrations use incompatible in-memory representations, code 678 // expecting the other registration will then cast a type to the wrong type, 679 // resulting in a potentially exploitable memory error. This conflict can also 680 // occur if BoringSSL later adds support for |ext->ext_nid|, with a different 681 // in-memory representation than the one expected by |ext|. 682 // 683 // This function, additionally, is not thread-safe and cannot be called 684 // concurrently with any other BoringSSL function. 685 // 686 // As a result, it is impossible to safely use this function. Registering a 687 // custom extension has no impact on certificate verification so, instead, 688 // callers should simply handle the custom extension with the byte-based 689 // |X509_EXTENSION| APIs directly. Registering |ext| with the library has little 690 // practical value. 691 OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext); 692 693 // X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The 694 // corresponding ASN.1 type is copied from |nid_from|. It returns one on success 695 // and zero on error. 696 // 697 // WARNING: Do not use this function. See |X509V3_EXT_add|. 698 OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to, 699 int nid_from); 700 701 OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get( 702 const X509_EXTENSION *ext); 703 OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); 704 OPENSSL_EXPORT int X509V3_add_standard_extensions(void); 705 706 // X509V3_EXT_d2i decodes |ext| and returns a pointer to a newly-allocated 707 // structure, with type dependent on the type of the extension. It returns NULL 708 // if |ext| is an unsupported extension or if there was a syntax error in the 709 // extension. The caller should cast the return value to the expected type and 710 // free the structure when done. 711 // 712 // WARNING: Casting the return value to the wrong type is a potentially 713 // exploitable memory error, so callers must not use this function before 714 // checking |ext| is of a known type. 715 OPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext); 716 717 // X509V3_get_d2i finds and decodes the extension in |extensions| of type |nid|. 718 // If found, it decodes it and returns a newly-allocated structure, with type 719 // dependent on |nid|. If the extension is not found or on error, it returns 720 // NULL. The caller may distinguish these cases using the |out_critical| value. 721 // 722 // If |out_critical| is not NULL, this function sets |*out_critical| to one if 723 // the extension is found and critical, zero if it is found and not critical, -1 724 // if it is not found, and -2 if there is an invalid duplicate extension. Note 725 // this function may set |*out_critical| to one or zero and still return NULL if 726 // the extension is found but has a syntax error. 727 // 728 // If |out_idx| is not NULL, this function looks for the first occurrence of the 729 // extension after |*out_idx|. It then sets |*out_idx| to the index of the 730 // extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions 731 // are not treated as an error. Callers, however, should not rely on this 732 // behavior as it may be removed in the future. Duplicate extensions are 733 // forbidden in RFC 5280. 734 // 735 // WARNING: This function is difficult to use correctly. Callers should pass a 736 // non-NULL |out_critical| and check both the return value and |*out_critical| 737 // to handle errors. If the return value is NULL and |*out_critical| is not -1, 738 // there was an error. Otherwise, the function succeeded and but may return NULL 739 // for a missing extension. Callers should pass NULL to |out_idx| so that 740 // duplicate extensions are handled correctly. 741 // 742 // Additionally, casting the return value to the wrong type is a potentially 743 // exploitable memory error, so callers must ensure the cast and |nid| match. 744 OPENSSL_EXPORT void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, 745 int nid, int *out_critical, int *out_idx); 746 747 // X509V3_EXT_free casts |ext_data| into the type that corresponds to |nid| and 748 // releases memory associated with it. It returns one on success and zero if 749 // |nid| is not a known extension. 750 // 751 // WARNING: Casting |ext_data| to the wrong type is a potentially exploitable 752 // memory error, so callers must ensure |ext_data|'s type matches |nid|. 753 // 754 // TODO(davidben): OpenSSL upstream no longer exposes this function. Remove it? 755 OPENSSL_EXPORT int X509V3_EXT_free(int nid, void *ext_data); 756 757 // X509V3_EXT_i2d casts |ext_struc| into the type that corresponds to 758 // |ext_nid|, serializes it, and returns a newly-allocated |X509_EXTENSION| 759 // object containing the serialization, or NULL on error. The |X509_EXTENSION| 760 // has OID |ext_nid| and is critical if |crit| is one. 761 // 762 // WARNING: Casting |ext_struc| to the wrong type is a potentially exploitable 763 // memory error, so callers must ensure |ext_struct|'s type matches |ext_nid|. 764 OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, 765 void *ext_struc); 766 767 // The following constants control the behavior of |X509V3_add1_i2d| and related 768 // functions. 769 770 // X509V3_ADD_OP_MASK can be ANDed with the flags to determine how duplicate 771 // extensions are processed. 772 #define X509V3_ADD_OP_MASK 0xfL 773 774 // X509V3_ADD_DEFAULT causes the function to fail if the extension was already 775 // present. 776 #define X509V3_ADD_DEFAULT 0L 777 778 // X509V3_ADD_APPEND causes the function to unconditionally appended the new 779 // extension to to the extensions list, even if there is a duplicate. 780 #define X509V3_ADD_APPEND 1L 781 782 // X509V3_ADD_REPLACE causes the function to replace the existing extension, or 783 // append if it is not present. 784 #define X509V3_ADD_REPLACE 2L 785 786 // X509V3_ADD_REPLACE causes the function to replace the existing extension and 787 // fail if it is not present. 788 #define X509V3_ADD_REPLACE_EXISTING 3L 789 790 // X509V3_ADD_KEEP_EXISTING causes the function to succeed without replacing the 791 // extension if already present. 792 #define X509V3_ADD_KEEP_EXISTING 4L 793 794 // X509V3_ADD_DELETE causes the function to remove the matching extension. No 795 // new extension is added. If there is no matching extension, the function 796 // fails. The |value| parameter is ignored in this mode. 797 #define X509V3_ADD_DELETE 5L 798 799 // X509V3_ADD_SILENT may be ORed into one of the values above to indicate the 800 // function should not add to the error queue on duplicate or missing extension. 801 // The function will continue to return zero in those cases, and it will 802 // continue to return -1 and add to the error queue on other errors. 803 #define X509V3_ADD_SILENT 0x10 804 805 // X509V3_add1_i2d casts |value| to the type that corresponds to |nid|, 806 // serializes it, and appends it to the extension list in |*x|. If |*x| is NULL, 807 // it will set |*x| to a newly-allocated |STACK_OF(X509_EXTENSION)| as needed. 808 // The |crit| parameter determines whether the new extension is critical. 809 // |flags| may be some combination of the |X509V3_ADD_*| constants to control 810 // the function's behavior on duplicate extension. 811 // 812 // This function returns one on success, zero if the operation failed due to a 813 // missing or duplicate extension, and -1 on other errors. 814 // 815 // WARNING: Casting |value| to the wrong type is a potentially exploitable 816 // memory error, so callers must ensure |value|'s type matches |nid|. 817 OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, 818 void *value, int crit, unsigned long flags); 819 820 #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) 821 822 // X509V3_EXT_DEFAULT causes unknown extensions or syntax errors to return 823 // failure. 824 #define X509V3_EXT_DEFAULT 0 825 // X509V3_EXT_ERROR_UNKNOWN causes unknown extensions or syntax errors to print 826 // as "<Not Supported>" or "<Parse Error>", respectively. 827 #define X509V3_EXT_ERROR_UNKNOWN (1L << 16) 828 // X509V3_EXT_PARSE_UNKNOWN is deprecated and behaves like 829 // |X509V3_EXT_DUMP_UNKNOWN|. 830 #define X509V3_EXT_PARSE_UNKNOWN (2L << 16) 831 // X509V3_EXT_DUMP_UNKNOWN causes unknown extensions to be displayed as a 832 // hexdump. 833 #define X509V3_EXT_DUMP_UNKNOWN (3L << 16) 834 835 OPENSSL_EXPORT void X509V3_EXT_val_prn(BIO *out, 836 const STACK_OF(CONF_VALUE) *val, 837 int indent, int ml); 838 OPENSSL_EXPORT int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, 839 unsigned long flag, int indent); 840 OPENSSL_EXPORT int X509V3_EXT_print_fp(FILE *out, const X509_EXTENSION *ext, 841 int flag, int indent); 842 843 // X509V3_extensions_print prints |title|, followed by a human-readable 844 // representation of |exts| to |out|. It returns one on success and zero on 845 // error. The output is indented by |indent| spaces. |flag| is one of the 846 // |X509V3_EXT_*| constants and controls printing of unknown extensions and 847 // syntax errors. 848 OPENSSL_EXPORT int X509V3_extensions_print(BIO *out, const char *title, 849 const STACK_OF(X509_EXTENSION) *exts, 850 unsigned long flag, int indent); 851 852 OPENSSL_EXPORT int X509_check_ca(X509 *x); 853 OPENSSL_EXPORT int X509_check_purpose(X509 *x, int id, int ca); 854 OPENSSL_EXPORT int X509_supported_extension(const X509_EXTENSION *ex); 855 OPENSSL_EXPORT int X509_PURPOSE_set(int *p, int purpose); 856 OPENSSL_EXPORT int X509_check_issued(X509 *issuer, X509 *subject); 857 OPENSSL_EXPORT int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid); 858 859 OPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x); 860 OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x); 861 OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x); 862 863 // X509_get0_subject_key_id returns |x509|'s subject key identifier, if present. 864 // (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not 865 // present or if some extension in |x509| was invalid. 866 // 867 // Note that decoding an |X509| object will not check for invalid extensions. To 868 // detect the error case, call |X509_get_extensions_flags| and check the 869 // |EXFLAG_INVALID| bit. 870 OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509); 871 872 // X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key 873 // identifier, if the extension and field are present. (See RFC 5280, 874 // section 4.2.1.1.) It returns NULL if the extension is not present, if it is 875 // present but lacks a keyIdentifier field, or if some extension in |x509| was 876 // invalid. 877 // 878 // Note that decoding an |X509| object will not check for invalid extensions. To 879 // detect the error case, call |X509_get_extensions_flags| and check the 880 // |EXFLAG_INVALID| bit. 881 OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509); 882 883 // X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s 884 // authority key identifier, if the extension and field are present. (See 885 // RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, 886 // if it is present but lacks a authorityCertIssuer field, or if some extension 887 // in |x509| was invalid. 888 // 889 // Note that decoding an |X509| object will not check for invalid extensions. To 890 // detect the error case, call |X509_get_extensions_flags| and check the 891 // |EXFLAG_INVALID| bit. 892 OPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509); 893 894 // X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s 895 // authority key identifier, if the extension and field are present. (See 896 // RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, 897 // if it is present but lacks a authorityCertSerialNumber field, or if some 898 // extension in |x509| was invalid. 899 // 900 // Note that decoding an |X509| object will not check for invalid extensions. To 901 // detect the error case, call |X509_get_extensions_flags| and check the 902 // |EXFLAG_INVALID| bit. 903 OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509); 904 905 OPENSSL_EXPORT int X509_PURPOSE_get_count(void); 906 OPENSSL_EXPORT X509_PURPOSE *X509_PURPOSE_get0(int idx); 907 OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(char *sname); 908 OPENSSL_EXPORT int X509_PURPOSE_get_by_id(int id); 909 OPENSSL_EXPORT int X509_PURPOSE_add(int id, int trust, int flags, 910 int (*ck)(const X509_PURPOSE *, 911 const X509 *, int), 912 char *name, char *sname, void *arg); 913 OPENSSL_EXPORT char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp); 914 OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp); 915 OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); 916 OPENSSL_EXPORT void X509_PURPOSE_cleanup(void); 917 OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *); 918 919 OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x); 920 OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x); 921 OPENSSL_EXPORT void X509_email_free(STACK_OF(OPENSSL_STRING) *sk); 922 OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); 923 // Flags for X509_check_* functions 924 925 // Deprecated: this flag does nothing 926 #define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0 927 // Disable wildcard matching for dnsName fields and common name. 928 #define X509_CHECK_FLAG_NO_WILDCARDS 0x2 929 // X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS does nothing, but is necessary in 930 // OpenSSL to enable standard wildcard matching. In BoringSSL, this behavior is 931 // always enabled. 932 #define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 933 // Deprecated: this flag does nothing 934 #define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0 935 // Deprecated: this flag does nothing 936 #define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 937 // Skip the subject common name fallback if subjectAltNames is missing. 938 #define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 939 940 OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen, 941 unsigned int flags, char **peername); 942 OPENSSL_EXPORT int X509_check_email(X509 *x, const char *chk, size_t chklen, 943 unsigned int flags); 944 OPENSSL_EXPORT int X509_check_ip(X509 *x, const unsigned char *chk, 945 size_t chklen, unsigned int flags); 946 OPENSSL_EXPORT int X509_check_ip_asc(X509 *x, const char *ipasc, 947 unsigned int flags); 948 949 OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); 950 OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); 951 952 // BEGIN ERROR CODES 953 // The following lines are auto generated by the script mkerr.pl. Any changes 954 // made after this point may be overwritten when the script is next run. 955 956 957 #if defined(__cplusplus) 958 } // extern C 959 960 extern "C++" { 961 962 BSSL_NAMESPACE_BEGIN 963 964 BORINGSSL_MAKE_DELETER(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION_free) 965 BORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free) 966 BORINGSSL_MAKE_DELETER(BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free) 967 // TODO(davidben): Move this to conf.h and rename to CONF_VALUE_free. 968 BORINGSSL_MAKE_DELETER(CONF_VALUE, X509V3_conf_free) 969 BORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free) 970 BORINGSSL_MAKE_DELETER(GENERAL_NAME, GENERAL_NAME_free) 971 BORINGSSL_MAKE_DELETER(GENERAL_SUBTREE, GENERAL_SUBTREE_free) 972 BORINGSSL_MAKE_DELETER(NAME_CONSTRAINTS, NAME_CONSTRAINTS_free) 973 BORINGSSL_MAKE_DELETER(POLICY_MAPPING, POLICY_MAPPING_free) 974 BORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free) 975 976 BSSL_NAMESPACE_END 977 978 } // extern C++ 979 #endif 980 981 #define X509V3_R_BAD_IP_ADDRESS 100 982 #define X509V3_R_BAD_OBJECT 101 983 #define X509V3_R_BN_DEC2BN_ERROR 102 984 #define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 103 985 #define X509V3_R_CANNOT_FIND_FREE_FUNCTION 104 986 #define X509V3_R_DIRNAME_ERROR 105 987 #define X509V3_R_DISTPOINT_ALREADY_SET 106 988 #define X509V3_R_DUPLICATE_ZONE_ID 107 989 #define X509V3_R_ERROR_CONVERTING_ZONE 108 990 #define X509V3_R_ERROR_CREATING_EXTENSION 109 991 #define X509V3_R_ERROR_IN_EXTENSION 110 992 #define X509V3_R_EXPECTED_A_SECTION_NAME 111 993 #define X509V3_R_EXTENSION_EXISTS 112 994 #define X509V3_R_EXTENSION_NAME_ERROR 113 995 #define X509V3_R_EXTENSION_NOT_FOUND 114 996 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 115 997 #define X509V3_R_EXTENSION_VALUE_ERROR 116 998 #define X509V3_R_ILLEGAL_EMPTY_EXTENSION 117 999 #define X509V3_R_ILLEGAL_HEX_DIGIT 118 1000 #define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 119 1001 #define X509V3_R_INVALID_BOOLEAN_STRING 120 1002 #define X509V3_R_INVALID_EXTENSION_STRING 121 1003 #define X509V3_R_INVALID_MULTIPLE_RDNS 122 1004 #define X509V3_R_INVALID_NAME 123 1005 #define X509V3_R_INVALID_NULL_ARGUMENT 124 1006 #define X509V3_R_INVALID_NULL_NAME 125 1007 #define X509V3_R_INVALID_NULL_VALUE 126 1008 #define X509V3_R_INVALID_NUMBER 127 1009 #define X509V3_R_INVALID_NUMBERS 128 1010 #define X509V3_R_INVALID_OBJECT_IDENTIFIER 129 1011 #define X509V3_R_INVALID_OPTION 130 1012 #define X509V3_R_INVALID_POLICY_IDENTIFIER 131 1013 #define X509V3_R_INVALID_PROXY_POLICY_SETTING 132 1014 #define X509V3_R_INVALID_PURPOSE 133 1015 #define X509V3_R_INVALID_SECTION 134 1016 #define X509V3_R_INVALID_SYNTAX 135 1017 #define X509V3_R_ISSUER_DECODE_ERROR 136 1018 #define X509V3_R_MISSING_VALUE 137 1019 #define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 138 1020 #define X509V3_R_NO_CONFIG_DATABASE 139 1021 #define X509V3_R_NO_ISSUER_CERTIFICATE 140 1022 #define X509V3_R_NO_ISSUER_DETAILS 141 1023 #define X509V3_R_NO_POLICY_IDENTIFIER 142 1024 #define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 143 1025 #define X509V3_R_NO_PUBLIC_KEY 144 1026 #define X509V3_R_NO_SUBJECT_DETAILS 145 1027 #define X509V3_R_ODD_NUMBER_OF_DIGITS 146 1028 #define X509V3_R_OPERATION_NOT_DEFINED 147 1029 #define X509V3_R_OTHERNAME_ERROR 148 1030 #define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 149 1031 #define X509V3_R_POLICY_PATH_LENGTH 150 1032 #define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 151 1033 #define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 152 1034 #define X509V3_R_SECTION_NOT_FOUND 153 1035 #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 154 1036 #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 155 1037 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 156 1038 #define X509V3_R_UNKNOWN_EXTENSION 157 1039 #define X509V3_R_UNKNOWN_EXTENSION_NAME 158 1040 #define X509V3_R_UNKNOWN_OPTION 159 1041 #define X509V3_R_UNSUPPORTED_OPTION 160 1042 #define X509V3_R_UNSUPPORTED_TYPE 161 1043 #define X509V3_R_USER_TOO_LONG 162 1044 #define X509V3_R_INVALID_VALUE 163 1045 #define X509V3_R_TRAILING_DATA_IN_EXTENSION 164 1046 1047 #endif // OPENSSL_HEADER_X509V3_H 1048