1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 59 * ECDH support in OpenSSL originally developed by 60 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 61 */ 62 63 #ifndef HEADER_X509_H 64 #define HEADER_X509_H 65 66 #include <openssl/asn1.h> 67 #include <openssl/base.h> 68 #include <openssl/bio.h> 69 #include <openssl/cipher.h> 70 #include <openssl/dh.h> 71 #include <openssl/dsa.h> 72 #include <openssl/ec.h> 73 #include <openssl/ecdh.h> 74 #include <openssl/ecdsa.h> 75 #include <openssl/evp.h> 76 #include <openssl/obj.h> 77 #include <openssl/pkcs7.h> 78 #include <openssl/pool.h> 79 #include <openssl/rsa.h> 80 #include <openssl/sha.h> 81 #include <openssl/stack.h> 82 #include <openssl/thread.h> 83 #include <time.h> 84 85 #ifdef __cplusplus 86 extern "C" { 87 #endif 88 89 90 // Legacy X.509 library. 91 // 92 // This header is part of OpenSSL's X.509 implementation. It is retained for 93 // compatibility but otherwise underdocumented and not actively maintained. In 94 // the future, a replacement library will be available. Meanwhile, minimize 95 // dependencies on this header where possible. 96 97 98 #define X509_FILETYPE_PEM 1 99 #define X509_FILETYPE_ASN1 2 100 #define X509_FILETYPE_DEFAULT 3 101 102 #define X509v3_KU_DIGITAL_SIGNATURE 0x0080 103 #define X509v3_KU_NON_REPUDIATION 0x0040 104 #define X509v3_KU_KEY_ENCIPHERMENT 0x0020 105 #define X509v3_KU_DATA_ENCIPHERMENT 0x0010 106 #define X509v3_KU_KEY_AGREEMENT 0x0008 107 #define X509v3_KU_KEY_CERT_SIGN 0x0004 108 #define X509v3_KU_CRL_SIGN 0x0002 109 #define X509v3_KU_ENCIPHER_ONLY 0x0001 110 #define X509v3_KU_DECIPHER_ONLY 0x8000 111 #define X509v3_KU_UNDEF 0xffff 112 113 struct X509_algor_st { 114 ASN1_OBJECT *algorithm; 115 ASN1_TYPE *parameter; 116 } /* X509_ALGOR */; 117 118 DECLARE_ASN1_FUNCTIONS(X509_ALGOR) 119 120 DEFINE_STACK_OF(X509_ALGOR) 121 122 typedef STACK_OF(X509_ALGOR) X509_ALGORS; 123 124 DEFINE_STACK_OF(X509_NAME_ENTRY) 125 126 DEFINE_STACK_OF(X509_NAME) 127 128 typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; 129 130 DEFINE_STACK_OF(X509_EXTENSION) 131 132 DEFINE_STACK_OF(X509_ATTRIBUTE) 133 134 // This stuff is certificate "auxiliary info" 135 // it contains details which are useful in certificate 136 // stores and databases. When used this is tagged onto 137 // the end of the certificate itself 138 139 DECLARE_STACK_OF(DIST_POINT) 140 DECLARE_STACK_OF(GENERAL_NAME) 141 142 DEFINE_STACK_OF(X509) 143 144 // This is used for a table of trust checking functions 145 146 struct x509_trust_st { 147 int trust; 148 int flags; 149 int (*check_trust)(struct x509_trust_st *, X509 *, int); 150 char *name; 151 int arg1; 152 void *arg2; 153 } /* X509_TRUST */; 154 155 DEFINE_STACK_OF(X509_TRUST) 156 157 // standard trust ids 158 159 #define X509_TRUST_DEFAULT (-1) // Only valid in purpose settings 160 161 #define X509_TRUST_COMPAT 1 162 #define X509_TRUST_SSL_CLIENT 2 163 #define X509_TRUST_SSL_SERVER 3 164 #define X509_TRUST_EMAIL 4 165 #define X509_TRUST_OBJECT_SIGN 5 166 #define X509_TRUST_OCSP_SIGN 6 167 #define X509_TRUST_OCSP_REQUEST 7 168 #define X509_TRUST_TSA 8 169 170 // Keep these up to date! 171 #define X509_TRUST_MIN 1 172 #define X509_TRUST_MAX 8 173 174 175 // trust_flags values 176 #define X509_TRUST_DYNAMIC 1 177 #define X509_TRUST_DYNAMIC_NAME 2 178 179 // check_trust return codes 180 181 #define X509_TRUST_TRUSTED 1 182 #define X509_TRUST_REJECTED 2 183 #define X509_TRUST_UNTRUSTED 3 184 185 // Flags for X509_print_ex() 186 187 #define X509_FLAG_COMPAT 0 188 #define X509_FLAG_NO_HEADER 1L 189 #define X509_FLAG_NO_VERSION (1L << 1) 190 #define X509_FLAG_NO_SERIAL (1L << 2) 191 #define X509_FLAG_NO_SIGNAME (1L << 3) 192 #define X509_FLAG_NO_ISSUER (1L << 4) 193 #define X509_FLAG_NO_VALIDITY (1L << 5) 194 #define X509_FLAG_NO_SUBJECT (1L << 6) 195 #define X509_FLAG_NO_PUBKEY (1L << 7) 196 #define X509_FLAG_NO_EXTENSIONS (1L << 8) 197 #define X509_FLAG_NO_SIGDUMP (1L << 9) 198 #define X509_FLAG_NO_AUX (1L << 10) 199 #define X509_FLAG_NO_ATTRIBUTES (1L << 11) 200 #define X509_FLAG_NO_IDS (1L << 12) 201 202 // Flags specific to X509_NAME_print_ex() 203 204 // The field separator information 205 206 #define XN_FLAG_SEP_MASK (0xf << 16) 207 208 #define XN_FLAG_COMPAT 0 // Traditional SSLeay: use old X509_NAME_print 209 #define XN_FLAG_SEP_COMMA_PLUS (1 << 16) // RFC 2253 ,+ 210 #define XN_FLAG_SEP_CPLUS_SPC (2 << 16) // ,+ spaced: more readable 211 #define XN_FLAG_SEP_SPLUS_SPC (3 << 16) // ;+ spaced 212 #define XN_FLAG_SEP_MULTILINE (4 << 16) // One line per field 213 214 #define XN_FLAG_DN_REV (1 << 20) // Reverse DN order 215 216 // How the field name is shown 217 218 #define XN_FLAG_FN_MASK (0x3 << 21) 219 220 #define XN_FLAG_FN_SN 0 // Object short name 221 #define XN_FLAG_FN_LN (1 << 21) // Object long name 222 #define XN_FLAG_FN_OID (2 << 21) // Always use OIDs 223 #define XN_FLAG_FN_NONE (3 << 21) // No field names 224 225 #define XN_FLAG_SPC_EQ (1 << 23) // Put spaces round '=' 226 227 // This determines if we dump fields we don't recognise: 228 // RFC 2253 requires this. 229 230 #define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) 231 232 #define XN_FLAG_FN_ALIGN (1 << 25) // Align field names to 20 characters 233 234 // Complete set of RFC 2253 flags 235 236 #define XN_FLAG_RFC2253 \ 237 (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \ 238 XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS) 239 240 // readable oneline form 241 242 #define XN_FLAG_ONELINE \ 243 (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \ 244 XN_FLAG_SPC_EQ | XN_FLAG_FN_SN) 245 246 // readable multiline form 247 248 #define XN_FLAG_MULTILINE \ 249 (ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | \ 250 XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN) 251 252 struct x509_revoked_st { 253 ASN1_INTEGER *serialNumber; 254 ASN1_TIME *revocationDate; 255 STACK_OF(X509_EXTENSION) /* optional */ *extensions; 256 // Set up if indirect CRL 257 STACK_OF(GENERAL_NAME) *issuer; 258 // Revocation reason 259 int reason; 260 int sequence; // load sequence 261 }; 262 263 DEFINE_STACK_OF(X509_REVOKED) 264 265 DECLARE_STACK_OF(GENERAL_NAMES) 266 267 DEFINE_STACK_OF(X509_CRL) 268 269 struct private_key_st { 270 int version; 271 // The PKCS#8 data types 272 X509_ALGOR *enc_algor; 273 ASN1_OCTET_STRING *enc_pkey; // encrypted pub key 274 275 // When decrypted, the following will not be NULL 276 EVP_PKEY *dec_pkey; 277 278 // used to encrypt and decrypt 279 int key_length; 280 char *key_data; 281 int key_free; // true if we should auto free key_data 282 283 // expanded version of 'enc_algor' 284 EVP_CIPHER_INFO cipher; 285 } /* X509_PKEY */; 286 287 #ifndef OPENSSL_NO_EVP 288 struct X509_info_st { 289 X509 *x509; 290 X509_CRL *crl; 291 X509_PKEY *x_pkey; 292 293 EVP_CIPHER_INFO enc_cipher; 294 int enc_len; 295 char *enc_data; 296 297 } /* X509_INFO */; 298 299 DEFINE_STACK_OF(X509_INFO) 300 #endif 301 302 // The next 2 structures and their 8 routines were sent to me by 303 // Pat Richard <patr@x509.com> and are used to manipulate 304 // Netscapes spki structures - useful if you are writing a CA web page 305 struct Netscape_spkac_st { 306 X509_PUBKEY *pubkey; 307 ASN1_IA5STRING *challenge; // challenge sent in atlas >= PR2 308 } /* NETSCAPE_SPKAC */; 309 310 struct Netscape_spki_st { 311 NETSCAPE_SPKAC *spkac; // signed public key and challenge 312 X509_ALGOR *sig_algor; 313 ASN1_BIT_STRING *signature; 314 } /* NETSCAPE_SPKI */; 315 316 #ifdef __cplusplus 317 } 318 #endif 319 320 #include <openssl/x509_vfy.h> 321 322 #ifdef __cplusplus 323 extern "C" { 324 #endif 325 326 // TODO(davidben): Document remaining functions, reorganize them, and define 327 // supported patterns for using |X509| objects in general. In particular, when 328 // it is safe to call mutating functions is a little tricky due to various 329 // internal caches. 330 331 // X509_VERSION_* are X.509 version numbers. Note the numerical values of all 332 // defined X.509 versions are one less than the named version. 333 #define X509_VERSION_1 0 334 #define X509_VERSION_2 1 335 #define X509_VERSION_3 2 336 337 // X509_get_version returns the numerical value of |x509|'s version. Callers may 338 // compare the result to the |X509_VERSION_*| constants. Unknown versions are 339 // rejected by the parser, but a manually-created |X509| object may encode 340 // invalid versions. In that case, the function will return the invalid version, 341 // or -1 on overflow. 342 OPENSSL_EXPORT long X509_get_version(const X509 *x509); 343 344 // X509_set_version sets |x509|'s version to |version|, which should be one of 345 // the |X509V_VERSION_*| constants. It returns one on success and zero on error. 346 // 347 // If unsure, use |X509_VERSION_3|. 348 OPENSSL_EXPORT int X509_set_version(X509 *x509, long version); 349 350 // X509_get0_serialNumber returns |x509|'s serial number. 351 OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509); 352 353 // X509_set_serialNumber sets |x509|'s serial number to |serial|. It returns one 354 // on success and zero on error. 355 OPENSSL_EXPORT int X509_set_serialNumber(X509 *x509, 356 const ASN1_INTEGER *serial); 357 358 // X509_get0_notBefore returns |x509|'s notBefore time. 359 OPENSSL_EXPORT const ASN1_TIME *X509_get0_notBefore(const X509 *x509); 360 361 // X509_get0_notAfter returns |x509|'s notAfter time. 362 OPENSSL_EXPORT const ASN1_TIME *X509_get0_notAfter(const X509 *x509); 363 364 // X509_set1_notBefore sets |x509|'s notBefore time to |tm|. It returns one on 365 // success and zero on error. 366 OPENSSL_EXPORT int X509_set1_notBefore(X509 *x509, const ASN1_TIME *tm); 367 368 // X509_set1_notAfter sets |x509|'s notAfter time to |tm|. it returns one on 369 // success and zero on error. 370 OPENSSL_EXPORT int X509_set1_notAfter(X509 *x509, const ASN1_TIME *tm); 371 372 // X509_getm_notBefore returns a mutable pointer to |x509|'s notBefore time. 373 OPENSSL_EXPORT ASN1_TIME *X509_getm_notBefore(X509 *x509); 374 375 // X509_getm_notAfter returns a mutable pointer to |x509|'s notAfter time. 376 OPENSSL_EXPORT ASN1_TIME *X509_getm_notAfter(X509 *x); 377 378 // X509_get_notBefore returns |x509|'s notBefore time. Note this function is not 379 // const-correct for legacy reasons. Use |X509_get0_notBefore| or 380 // |X509_getm_notBefore| instead. 381 OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509); 382 383 // X509_get_notAfter returns |x509|'s notAfter time. Note this function is not 384 // const-correct for legacy reasons. Use |X509_get0_notAfter| or 385 // |X509_getm_notAfter| instead. 386 OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509); 387 388 // X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore| 389 // instead. 390 OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm); 391 392 // X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter| 393 // instead. 394 OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm); 395 396 // X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the 397 // issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly 398 // outputs |x509|'s subjectUID field to |*out_subject_uid|. 399 // 400 // Callers may pass NULL to either |out_issuer_uid| or |out_subject_uid| to 401 // ignore the corresponding field. 402 OPENSSL_EXPORT void X509_get0_uids(const X509 *x509, 403 const ASN1_BIT_STRING **out_issuer_uid, 404 const ASN1_BIT_STRING **out_subject_uid); 405 406 // X509_extract_key is a legacy alias to |X509_get_pubkey|. Use 407 // |X509_get_pubkey| instead. 408 #define X509_extract_key(x) X509_get_pubkey(x) 409 410 // X509_get_pathlen returns path length constraint from the basic constraints 411 // extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the 412 // constraint is not present, or if some extension in |x509| was invalid. 413 // 414 // Note that decoding an |X509| object will not check for invalid extensions. To 415 // detect the error case, call |X509_get_extensions_flags| and check the 416 // |EXFLAG_INVALID| bit. 417 OPENSSL_EXPORT long X509_get_pathlen(X509 *x509); 418 419 // X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. Note no 420 // other versions are defined. 421 #define X509_REQ_VERSION_1 0 422 423 // X509_REQ_get_version returns the numerical value of |req|'s version. This 424 // will be |X509_REQ_VERSION_1| for valid certificate requests. If |req| is 425 // invalid, it may return another value, or -1 on overflow. 426 // 427 // TODO(davidben): Enforce the version number in the parser. 428 OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req); 429 430 // X509_REQ_get_subject_name returns |req|'s subject name. Note this function is 431 // not const-correct for legacy reasons. 432 OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); 433 434 // X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|. 435 #define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) 436 437 // X509_name_cmp is a legacy alias for |X509_NAME_cmp|. 438 #define X509_name_cmp(a, b) X509_NAME_cmp((a), (b)) 439 440 #define X509_CRL_VERSION_1 0 441 #define X509_CRL_VERSION_2 1 442 443 // X509_CRL_get_version returns the numerical value of |crl|'s version. Callers 444 // may compare the result to |X509_CRL_VERSION_*| constants. If |crl| is 445 // invalid, it may return another value, or -1 on overflow. 446 // 447 // TODO(davidben): Enforce the version number in the parser. 448 OPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl); 449 450 // X509_CRL_get0_lastUpdate returns |crl|'s lastUpdate time. 451 OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); 452 453 // X509_CRL_get0_nextUpdate returns |crl|'s nextUpdate time, or NULL if |crl| 454 // has none. 455 OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); 456 457 // X509_CRL_set1_lastUpdate sets |crl|'s lastUpdate time to |tm|. It returns one 458 // on success and zero on error. 459 OPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm); 460 461 // X509_CRL_set1_nextUpdate sets |crl|'s nextUpdate time to |tm|. It returns one 462 // on success and zero on error. 463 OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm); 464 465 // The following symbols are deprecated aliases to |X509_CRL_set1_*|. 466 #define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate 467 #define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate 468 469 // X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s lastUpdate time. 470 // Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead. 471 OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); 472 473 // X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time, 474 // or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or 475 // |X509_CRL_set1_nextUpdate| instead. 476 OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); 477 478 // X509_CRL_get_issuer returns |crl|'s issuer name. Note this function is not 479 // const-correct for legacy reasons. 480 OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); 481 482 // X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or 483 // NULL if |crl| omits it. 484 // 485 // TOOD(davidben): This function was originally a macro, without clear const 486 // semantics. It should take a const input and give const output, but the latter 487 // would break existing callers. For now, we match upstream. 488 OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); 489 490 // X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl| 491 // omits it. 492 OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions( 493 const X509_CRL *crl); 494 495 // X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to 496 // |sig|'s algorithm and digest fields, respectively. Either |out_alg| and 497 // |out_digest| may be NULL to skip those fields. 498 OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig, 499 const X509_ALGOR **out_alg, 500 const ASN1_OCTET_STRING **out_digest); 501 502 // X509_SIG_getm behaves like |X509_SIG_get0| but returns mutable pointers. 503 OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, 504 ASN1_OCTET_STRING **out_digest); 505 506 OPENSSL_EXPORT void X509_CRL_set_default_method(const X509_CRL_METHOD *meth); 507 OPENSSL_EXPORT X509_CRL_METHOD *X509_CRL_METHOD_new( 508 int (*crl_init)(X509_CRL *crl), int (*crl_free)(X509_CRL *crl), 509 int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *ser, 510 X509_NAME *issuer), 511 int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk)); 512 OPENSSL_EXPORT void X509_CRL_METHOD_free(X509_CRL_METHOD *m); 513 514 OPENSSL_EXPORT void X509_CRL_set_meth_data(X509_CRL *crl, void *dat); 515 OPENSSL_EXPORT void *X509_CRL_get_meth_data(X509_CRL *crl); 516 517 // X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is 518 // not const-correct for legacy reasons. Callers should not modify the returned 519 // object. 520 OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509); 521 522 // X509_verify_cert_error_string returns |err| as a human-readable string, where 523 // |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns 524 // a default description. 525 // 526 // TODO(davidben): Move this function to x509_vfy.h, with the |X509_V_*| 527 // definitions, or fold x509_vfy.h into this function. 528 OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); 529 530 // X509_verify checks that |x509| has a valid signature by |pkey|. It returns 531 // one if the signature is valid and zero otherwise. Note this function only 532 // checks the signature itself and does not perform a full certificate 533 // validation. 534 OPENSSL_EXPORT int X509_verify(X509 *x509, EVP_PKEY *pkey); 535 536 // X509_REQ_verify checks that |req| has a valid signature by |pkey|. It returns 537 // one if the signature is valid and zero otherwise. 538 OPENSSL_EXPORT int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey); 539 540 // X509_CRL_verify checks that |crl| has a valid signature by |pkey|. It returns 541 // one if the signature is valid and zero otherwise. 542 OPENSSL_EXPORT int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey); 543 544 // NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It 545 // returns one if the signature is valid and zero otherwise. 546 OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); 547 548 // NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded 549 // Netscape signed public key and challenge (SPKAC) structure. It returns a 550 // newly-allocated |NETSCAPE_SPKI| structure with the result, or NULL on error. 551 // If |len| is 0 or negative, the length is calculated with |strlen| and |str| 552 // must be a NUL-terminated C string. 553 OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, 554 int len); 555 556 // NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded Netscape signed 557 // public key and challenge (SPKAC) structure. It returns a newly-allocated 558 // NUL-terminated C string with the result, or NULL on error. The caller must 559 // release the memory with |OPENSSL_free| when done. 560 OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki); 561 562 // NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an 563 // |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting 564 // pointer and must call |EVP_PKEY_free| when done. 565 OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki); 566 567 // NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one 568 // on success or zero on error. This function does not take ownership of |pkey|, 569 // so the caller may continue to manage its lifetime independently of |spki|. 570 OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki, 571 EVP_PKEY *pkey); 572 573 // X509_signature_dump writes a human-readable representation of |sig| to |bio|, 574 // indented with |indent| spaces. It returns one on success and zero on error. 575 OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig, 576 int indent); 577 578 // X509_signature_print writes a human-readable representation of |alg| and 579 // |sig| to |bio|. It returns one on success and zero on error. 580 OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg, 581 const ASN1_STRING *sig); 582 583 // X509_sign signs |x509| with |pkey| and replaces the signature algorithm and 584 // signature fields. It returns one on success and zero on error. This function 585 // uses digest algorithm |md|, or |pkey|'s default if NULL. Other signing 586 // parameters use |pkey|'s defaults. To customize them, use |X509_sign_ctx|. 587 OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md); 588 589 // X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm 590 // and signature fields. It returns one on success and zero on error. The 591 // signature algorithm and parameters come from |ctx|, which must have been 592 // initialized with |EVP_DigestSignInit|. The caller should configure the 593 // corresponding |EVP_PKEY_CTX| before calling this function. 594 OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx); 595 596 // X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm 597 // and signature fields. It returns one on success and zero on error. This 598 // function uses digest algorithm |md|, or |pkey|'s default if NULL. Other 599 // signing parameters use |pkey|'s defaults. To customize them, use 600 // |X509_REQ_sign_ctx|. 601 OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey, 602 const EVP_MD *md); 603 604 // X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm 605 // and signature fields. It returns one on success and zero on error. The 606 // signature algorithm and parameters come from |ctx|, which must have been 607 // initialized with |EVP_DigestSignInit|. The caller should configure the 608 // corresponding |EVP_PKEY_CTX| before calling this function. 609 OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx); 610 611 // X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm 612 // and signature fields. It returns one on success and zero on error. This 613 // function uses digest algorithm |md|, or |pkey|'s default if NULL. Other 614 // signing parameters use |pkey|'s defaults. To customize them, use 615 // |X509_CRL_sign_ctx|. 616 OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey, 617 const EVP_MD *md); 618 619 // X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm 620 // and signature fields. It returns one on success and zero on error. The 621 // signature algorithm and parameters come from |ctx|, which must have been 622 // initialized with |EVP_DigestSignInit|. The caller should configure the 623 // corresponding |EVP_PKEY_CTX| before calling this function. 624 OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx); 625 626 // NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature 627 // algorithm and signature fields. It returns one on success and zero on error. 628 // This function uses digest algorithm |md|, or |pkey|'s default if NULL. Other 629 // signing parameters use |pkey|'s defaults. 630 OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey, 631 const EVP_MD *md); 632 633 // X509_pubkey_digest hashes the DER encoding of |x509|'s subjectPublicKeyInfo 634 // field with |md| and writes the result to |out|. |EVP_MD_CTX_size| bytes are 635 // written, which is at most |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, 636 // |*out_len| is set to the number of bytes written. This function returns one 637 // on success and zero on error. 638 OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md, 639 uint8_t *out, unsigned *out_len); 640 641 // X509_digest hashes |x509|'s DER encoding with |md| and writes the result to 642 // |out|. |EVP_MD_CTX_size| bytes are written, which is at most 643 // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 644 // of bytes written. This function returns one on success and zero on error. 645 // Note this digest covers the entire certificate, not just the signed portion. 646 OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out, 647 unsigned *out_len); 648 649 // X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result 650 // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most 651 // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 652 // of bytes written. This function returns one on success and zero on error. 653 // Note this digest covers the entire CRL, not just the signed portion. 654 OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md, 655 uint8_t *out, unsigned *out_len); 656 657 // X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result 658 // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most 659 // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 660 // of bytes written. This function returns one on success and zero on error. 661 // Note this digest covers the entire certificate request, not just the signed 662 // portion. 663 OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md, 664 uint8_t *out, unsigned *out_len); 665 666 // X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result 667 // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most 668 // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 669 // of bytes written. This function returns one on success and zero on error. 670 OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md, 671 uint8_t *out, unsigned *out_len); 672 673 // X509_parse_from_buffer parses an X.509 structure from |buf| and returns a 674 // fresh X509 or NULL on error. There must not be any trailing data in |buf|. 675 // The returned structure (if any) holds a reference to |buf| rather than 676 // copying parts of it as a normal |d2i_X509| call would do. 677 OPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf); 678 679 OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509); 680 OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509); 681 OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl); 682 OPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl); 683 OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req); 684 OPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req); 685 OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa); 686 OPENSSL_EXPORT int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa); 687 OPENSSL_EXPORT RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa); 688 OPENSSL_EXPORT int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa); 689 OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa); 690 OPENSSL_EXPORT int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa); 691 #ifndef OPENSSL_NO_DSA 692 OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa); 693 OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa); 694 OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); 695 OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); 696 #endif 697 OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey); 698 OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey); 699 OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey); 700 OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey); 701 OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8); 702 OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8); 703 OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp( 704 FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf); 705 OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, 706 PKCS8_PRIV_KEY_INFO *p8inf); 707 OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key); 708 OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey); 709 OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); 710 OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey); 711 OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); 712 713 OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509); 714 OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509); 715 OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl); 716 OPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl); 717 OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req); 718 OPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req); 719 OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa); 720 OPENSSL_EXPORT int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa); 721 OPENSSL_EXPORT RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa); 722 OPENSSL_EXPORT int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa); 723 OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa); 724 OPENSSL_EXPORT int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa); 725 #ifndef OPENSSL_NO_DSA 726 OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa); 727 OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa); 728 OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa); 729 OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa); 730 #endif 731 OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey); 732 OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey); 733 OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey); 734 OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey); 735 OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8); 736 OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8); 737 OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio( 738 BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf); 739 OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, 740 PKCS8_PRIV_KEY_INFO *p8inf); 741 OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key); 742 OPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey); 743 OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); 744 OPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey); 745 OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); 746 OPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh); 747 OPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh); 748 749 OPENSSL_EXPORT X509 *X509_dup(X509 *x509); 750 OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa); 751 OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex); 752 OPENSSL_EXPORT X509_CRL *X509_CRL_dup(X509_CRL *crl); 753 OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *rev); 754 OPENSSL_EXPORT X509_REQ *X509_REQ_dup(X509_REQ *req); 755 OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); 756 757 // X509_ALGOR_set0 sets |alg| to an AlgorithmIdentifier with algorithm |obj| and 758 // parameter determined by |param_type| and |param_value|. It returns one on 759 // success and zero on error. This function takes ownership of |obj| and 760 // |param_value| on success. 761 // 762 // If |param_type| is |V_ASN1_UNDEF|, the parameter is omitted. If |param_type| 763 // is zero, the parameter is left unchanged. Otherwise, |param_type| and 764 // |param_value| are interpreted as in |ASN1_TYPE_set|. 765 // 766 // Note omitting the parameter (|V_ASN1_UNDEF|) and encoding an explicit NULL 767 // value (|V_ASN1_NULL|) are different. Some algorithms require one and some the 768 // other. Consult the relevant specification before calling this function. The 769 // correct parameter for an RSASSA-PKCS1-v1_5 signature is |V_ASN1_NULL|. The 770 // correct one for an ECDSA or Ed25519 signature is |V_ASN1_UNDEF|. 771 OPENSSL_EXPORT int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *obj, 772 int param_type, void *param_value); 773 774 // X509_ALGOR_get0 sets |*out_obj| to the |alg|'s algorithm. If |alg|'s 775 // parameter is omitted, it sets |*out_param_type| and |*out_param_value| to 776 // |V_ASN1_UNDEF| and NULL. Otherwise, it sets |*out_param_type| and 777 // |*out_param_value| to the parameter, using the same representation as 778 // |ASN1_TYPE_set0|. See |ASN1_TYPE_set0| and |ASN1_TYPE| for details. 779 // 780 // Callers that require the parameter in serialized form should, after checking 781 // for |V_ASN1_UNDEF|, use |ASN1_TYPE_set1| and |d2i_ASN1_TYPE|, rather than 782 // inspecting |*out_param_value|. 783 // 784 // Each of |out_obj|, |out_param_type|, and |out_param_value| may be NULL to 785 // ignore the output. If |out_param_type| is NULL, |out_param_value| is ignored. 786 // 787 // WARNING: If |*out_param_type| is set to |V_ASN1_UNDEF|, OpenSSL and older 788 // revisions of BoringSSL leave |*out_param_value| unset rather than setting it 789 // to NULL. Callers that support both OpenSSL and BoringSSL should not assume 790 // |*out_param_value| is uniformly initialized. 791 OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj, 792 int *out_param_type, 793 const void **out_param_value, 794 const X509_ALGOR *alg); 795 796 // X509_ALGOR_set_md sets |alg| to the hash function |md|. Note this 797 // AlgorithmIdentifier represents the hash function itself, not a signature 798 // algorithm that uses |md|. 799 OPENSSL_EXPORT void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); 800 801 // X509_ALGOR_cmp returns zero if |a| and |b| are equal, and some non-zero value 802 // otherwise. Note this function can only be used for equality checks, not an 803 // ordering. 804 OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); 805 806 OPENSSL_EXPORT X509_NAME *X509_NAME_dup(X509_NAME *xn); 807 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); 808 OPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne); 809 810 OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, 811 size_t *pderlen); 812 813 // X509_cmp_time compares |s| against |*t|. On success, it returns a negative 814 // number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it 815 // returns zero. If |t| is NULL, it uses the current time instead of |*t|. 816 // 817 // WARNING: Unlike most comparison functions, this function returns zero on 818 // error, not equality. 819 OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t); 820 821 // X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against 822 // the current time. 823 OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); 824 825 // X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. 826 OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, 827 time_t *t); 828 829 // X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If 830 // |t| is NULL, it uses the current time instead of |*t|. 831 OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, 832 long offset_sec, time_t *t); 833 834 // X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the 835 // current time. 836 OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); 837 838 OPENSSL_EXPORT const char *X509_get_default_cert_area(void); 839 OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); 840 OPENSSL_EXPORT const char *X509_get_default_cert_file(void); 841 OPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void); 842 OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void); 843 OPENSSL_EXPORT const char *X509_get_default_private_dir(void); 844 845 OPENSSL_EXPORT X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, 846 const EVP_MD *md); 847 848 DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS) 849 DECLARE_ASN1_FUNCTIONS(X509_VAL) 850 851 DECLARE_ASN1_FUNCTIONS(X509_PUBKEY) 852 853 // X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY| 854 // structure. On success, it frees |*x|, sets |*x| to the new object, and 855 // returns one. Otherwise, it returns zero. 856 OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); 857 858 // X509_PUBKEY_get decodes the public key in |key| and returns an |EVP_PKEY| on 859 // success, or NULL on error. The caller must release the result with 860 // |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must 861 // not mutate the result. 862 OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key); 863 864 DECLARE_ASN1_FUNCTIONS(X509_SIG) 865 DECLARE_ASN1_FUNCTIONS(X509_REQ) 866 867 DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE) 868 869 // X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on 870 // error. The attribute has type |nid| and contains a single value determined by 871 // |attrtype| and |value|, which are interpreted as in |ASN1_TYPE_set|. Note 872 // this function takes ownership of |value|. 873 OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype, 874 void *value); 875 876 DECLARE_ASN1_FUNCTIONS(X509_EXTENSION) 877 DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS) 878 879 DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY) 880 881 DECLARE_ASN1_FUNCTIONS(X509_NAME) 882 883 // X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn| 884 // to the copy, and returns one. Otherwise, it returns zero. 885 OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name); 886 887 DECLARE_ASN1_FUNCTIONS(X509) 888 DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) 889 890 // X509_up_ref adds one to the reference count of |x509| and returns one. 891 OPENSSL_EXPORT int X509_up_ref(X509 *x509); 892 893 OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp, 894 CRYPTO_EX_unused *unused, 895 CRYPTO_EX_dup *dup_unused, 896 CRYPTO_EX_free *free_func); 897 OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg); 898 OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx); 899 OPENSSL_EXPORT int i2d_X509_AUX(X509 *a, unsigned char **pp); 900 OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, 901 long length); 902 903 // i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|. If |outp| is 904 // NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is 905 // written to |*outp|, which must have enough space available, and |*outp| is 906 // advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it 907 // sets |*outp| to a newly-allocated buffer containing the result. The caller is 908 // responsible for releasing the buffer with |OPENSSL_free|. In all cases, this 909 // function returns the number of bytes in the result, whether written or not, 910 // or a negative value on error. 911 // 912 // This function re-encodes the TBSCertificate and may not reflect |x509|'s 913 // original encoding. It may be used to manually generate a signature for a new 914 // certificate. To verify certificates, use |i2d_X509_tbs| instead. 915 OPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, unsigned char **outp); 916 917 // i2d_X509_tbs serializes the TBSCertificate portion of |x509|. If |outp| is 918 // NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is 919 // written to |*outp|, which must have enough space available, and |*outp| is 920 // advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it 921 // sets |*outp| to a newly-allocated buffer containing the result. The caller is 922 // responsible for releasing the buffer with |OPENSSL_free|. In all cases, this 923 // function returns the number of bytes in the result, whether written or not, 924 // or a negative value on error. 925 // 926 // This function preserves the original encoding of the TBSCertificate and may 927 // not reflect modifications made to |x509|. It may be used to manually verify 928 // the signature of an existing certificate. To generate certificates, use 929 // |i2d_re_X509_tbs| instead. 930 OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp); 931 932 // X509_set1_signature_algo sets |x509|'s signature algorithm to |algo| and 933 // returns one on success or zero on error. It updates both the signature field 934 // of the TBSCertificate structure, and the signatureAlgorithm field of the 935 // Certificate. 936 OPENSSL_EXPORT int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo); 937 938 // X509_set1_signature_value sets |x509|'s signature to a copy of the |sig_len| 939 // bytes pointed by |sig|. It returns one on success and zero on error. 940 // 941 // Due to a specification error, X.509 certificates store signatures in ASN.1 942 // BIT STRINGs, but signature algorithms return byte strings rather than bit 943 // strings. This function creates a BIT STRING containing a whole number of 944 // bytes, with the bit order matching the DER encoding. This matches the 945 // encoding used by all X.509 signature algorithms. 946 OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig, 947 size_t sig_len); 948 949 // X509_get0_signature sets |*out_sig| and |*out_alg| to the signature and 950 // signature algorithm of |x509|, respectively. Either output pointer may be 951 // NULL to ignore the value. 952 // 953 // This function outputs the outer signature algorithm. For the one in the 954 // TBSCertificate, see |X509_get0_tbs_sigalg|. Certificates with mismatched 955 // signature algorithms will successfully parse, but they will be rejected when 956 // verifying. 957 OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig, 958 const X509_ALGOR **out_alg, 959 const X509 *x509); 960 961 // X509_get_signature_nid returns the NID corresponding to |x509|'s signature 962 // algorithm, or |NID_undef| if the signature algorithm does not correspond to 963 // a known NID. 964 OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509); 965 966 OPENSSL_EXPORT int X509_alias_set1(X509 *x, const unsigned char *name, int len); 967 OPENSSL_EXPORT int X509_keyid_set1(X509 *x, const unsigned char *id, int len); 968 OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x, int *len); 969 OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x, int *len); 970 OPENSSL_EXPORT int (*X509_TRUST_set_default(int (*trust)(int, X509 *, 971 int)))(int, X509 *, 972 int); 973 OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust); 974 OPENSSL_EXPORT int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); 975 OPENSSL_EXPORT int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); 976 OPENSSL_EXPORT void X509_trust_clear(X509 *x); 977 OPENSSL_EXPORT void X509_reject_clear(X509 *x); 978 979 DECLARE_ASN1_FUNCTIONS(X509_REVOKED) 980 DECLARE_ASN1_FUNCTIONS(X509_CRL) 981 982 OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); 983 OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, 984 ASN1_INTEGER *serial); 985 OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, 986 X509 *x); 987 988 OPENSSL_EXPORT X509_PKEY *X509_PKEY_new(void); 989 OPENSSL_EXPORT void X509_PKEY_free(X509_PKEY *a); 990 991 DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI) 992 DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC) 993 994 OPENSSL_EXPORT X509_INFO *X509_INFO_new(void); 995 OPENSSL_EXPORT void X509_INFO_free(X509_INFO *a); 996 OPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *a, char *buf, int size); 997 998 OPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, 999 unsigned char *md, unsigned int *len); 1000 1001 OPENSSL_EXPORT int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, 1002 void *data, unsigned char *md, 1003 unsigned int *len); 1004 1005 OPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it, 1006 const X509_ALGOR *algor1, 1007 const ASN1_BIT_STRING *signature, 1008 void *data, EVP_PKEY *pkey); 1009 1010 OPENSSL_EXPORT int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, 1011 X509_ALGOR *algor2, 1012 ASN1_BIT_STRING *signature, void *data, 1013 EVP_PKEY *pkey, const EVP_MD *type); 1014 OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, 1015 X509_ALGOR *algor2, 1016 ASN1_BIT_STRING *signature, void *asn, 1017 EVP_MD_CTX *ctx); 1018 1019 // X509_get_serialNumber returns a mutable pointer to |x509|'s serial number. 1020 // Prefer |X509_get0_serialNumber|. 1021 OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509); 1022 1023 // X509_set_issuer_name sets |x509|'s issuer to a copy of |name|. It returns one 1024 // on success and zero on error. 1025 OPENSSL_EXPORT int X509_set_issuer_name(X509 *x509, X509_NAME *name); 1026 1027 // X509_get_issuer_name returns |x509|'s issuer. 1028 OPENSSL_EXPORT X509_NAME *X509_get_issuer_name(const X509 *x509); 1029 1030 // X509_set_subject_name sets |x509|'s subject to a copy of |name|. It returns 1031 // one on success and zero on error. 1032 OPENSSL_EXPORT int X509_set_subject_name(X509 *x509, X509_NAME *name); 1033 1034 // X509_get_issuer_name returns |x509|'s subject. 1035 OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509); 1036 1037 // X509_set_pubkey sets |x509|'s public key to |pkey|. It returns one on success 1038 // and zero on error. This function does not take ownership of |pkey| and 1039 // internally copies and updates reference counts as needed. 1040 OPENSSL_EXPORT int X509_set_pubkey(X509 *x509, EVP_PKEY *pkey); 1041 1042 // X509_get_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the 1043 // public key was unsupported or could not be decoded. This function returns a 1044 // reference to the |EVP_PKEY|. The caller must release the result with 1045 // |EVP_PKEY_free| when done. 1046 OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x509); 1047 1048 // X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public 1049 // key. Note this does not contain the AlgorithmIdentifier portion. 1050 // 1051 // WARNING: This function returns a non-const pointer for OpenSSL compatibility, 1052 // but the caller must not modify the resulting object. Doing so will break 1053 // internal invariants in |x509|. 1054 OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509); 1055 1056 // X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits 1057 // it. 1058 OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions( 1059 const X509 *x509); 1060 1061 // X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s 1062 // TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|. 1063 // 1064 // Certificates with mismatched signature algorithms will successfully parse, 1065 // but they will be rejected when verifying. 1066 OPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x509); 1067 1068 // X509_REQ_set_version sets |req|'s version to |version|, which should be 1069 // |X509_REQ_VERSION_1|. It returns one on success and zero on error. 1070 // 1071 // Note no versions other than |X509_REQ_VERSION_1| are defined for CSRs. 1072 OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version); 1073 1074 // X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It 1075 // returns one on success and zero on error. 1076 OPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name); 1077 1078 // X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and 1079 // signature algorithm of |req|, respectively. Either output pointer may be NULL 1080 // to ignore the value. 1081 OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req, 1082 const ASN1_BIT_STRING **out_sig, 1083 const X509_ALGOR **out_alg); 1084 1085 // X509_REQ_get_signature_nid returns the NID corresponding to |req|'s signature 1086 // algorithm, or |NID_undef| if the signature algorithm does not correspond to 1087 // a known NID. 1088 OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req); 1089 1090 // i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) 1091 // portion of |req|. If |outp| is NULL, nothing is written. Otherwise, if 1092 // |*outp| is not NULL, the result is written to |*outp|, which must have enough 1093 // space available, and |*outp| is advanced just past the output. If |outp| is 1094 // non-NULL and |*outp| is NULL, it sets |*outp| to a newly-allocated buffer 1095 // containing the result. The caller is responsible for releasing the buffer 1096 // with |OPENSSL_free|. In all cases, this function returns the number of bytes 1097 // in the result, whether written or not, or a negative value on error. 1098 // 1099 // This function re-encodes the CertificationRequestInfo and may not reflect 1100 // |req|'s original encoding. It may be used to manually generate a signature 1101 // for a new certificate request. 1102 OPENSSL_EXPORT int i2d_re_X509_REQ_tbs(X509_REQ *req, uint8_t **outp); 1103 1104 // X509_REQ_set_pubkey sets |req|'s public key to |pkey|. It returns one on 1105 // success and zero on error. This function does not take ownership of |pkey| 1106 // and internally copies and updates reference counts as needed. 1107 OPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey); 1108 1109 // X509_REQ_get_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if 1110 // the public key was unsupported or could not be decoded. This function returns 1111 // a reference to the |EVP_PKEY|. The caller must release the result with 1112 // |EVP_PKEY_free| when done. 1113 OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); 1114 1115 // X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type 1116 // for carrying extensions and zero otherwise. The supported types are 1117 // |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req| 1118 // (a Microsoft szOID_CERT_EXTENSIONS variant). 1119 OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); 1120 1121 // X509_REQ_get_extensions decodes the list of requested extensions in |req| and 1122 // returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result. 1123 // It returns NULL on error, or if |req| did not request extensions. 1124 // 1125 // This function supports both pkcs-9-at-extensionRequest from RFC 2985 and the 1126 // Microsoft szOID_CERT_EXTENSIONS variant. 1127 OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); 1128 1129 // X509_REQ_add_extensions_nid adds an attribute to |req| of type |nid|, to 1130 // request the certificate extensions in |exts|. It returns one on success and 1131 // zero on error. |nid| should be |NID_ext_req| or |NID_ms_ext_req|. 1132 OPENSSL_EXPORT int X509_REQ_add_extensions_nid( 1133 X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts, int nid); 1134 1135 // X509_REQ_add_extensions behaves like |X509_REQ_add_extensions_nid|, using the 1136 // standard |NID_ext_req| for the attribute type. 1137 OPENSSL_EXPORT int X509_REQ_add_extensions( 1138 X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts); 1139 1140 // X509_REQ_get_attr_count returns the number of attributes in |req|. 1141 OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req); 1142 1143 // X509_REQ_get_attr_by_NID returns the index of the attribute in |req| of type 1144 // |nid|, or a negative number if not found. If found, callers can use 1145 // |X509_REQ_get_attr| to look up the attribute by index. 1146 // 1147 // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1148 // can thus loop over all matching attributes by first passing -1 and then 1149 // passing the previously-returned value until no match is returned. 1150 OPENSSL_EXPORT int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, 1151 int lastpos); 1152 1153 // X509_REQ_get_attr_by_OBJ behaves like |X509_REQ_get_attr_by_NID| but looks 1154 // for attributes of type |obj|. 1155 OPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, 1156 const ASN1_OBJECT *obj, 1157 int lastpos); 1158 1159 // X509_REQ_get_attr returns the attribute at index |loc| in |req|, or NULL if 1160 // out of bounds. 1161 OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc); 1162 1163 // X509_REQ_delete_attr removes the attribute at index |loc| in |req|. It 1164 // returns the removed attribute to the caller, or NULL if |loc| was out of 1165 // bounds. If non-NULL, the caller must release the result with 1166 // |X509_ATTRIBUTE_free| when done. It is also safe, but not necessary, to call 1167 // |X509_ATTRIBUTE_free| if the result is NULL. 1168 OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc); 1169 1170 // X509_REQ_add1_attr appends a copy of |attr| to |req|'s list of attributes. It 1171 // returns one on success and zero on error. 1172 // 1173 // TODO(https://crbug.com/boringssl/407): |attr| should be const. 1174 OPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr); 1175 1176 // X509_REQ_add1_attr_by_OBJ appends a new attribute to |req| with type |obj|. 1177 // It returns one on success and zero on error. The value is determined by 1178 // |X509_ATTRIBUTE_set1_data|. 1179 // 1180 // WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and 1181 // error-prone. See |X509_ATTRIBUTE_set1_data| for details. 1182 OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, 1183 const ASN1_OBJECT *obj, 1184 int attrtype, 1185 const unsigned char *data, 1186 int len); 1187 1188 // X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the 1189 // attribute type is determined by |nid|. 1190 OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, 1191 int attrtype, 1192 const unsigned char *data, 1193 int len); 1194 1195 // X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the 1196 // attribute type is determined by calling |OBJ_txt2obj| with |attrname|. 1197 OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req, 1198 const char *attrname, int attrtype, 1199 const unsigned char *data, 1200 int len); 1201 1202 // X509_CRL_set_version sets |crl|'s version to |version|, which should be one 1203 // of the |X509_CRL_VERSION_*| constants. It returns one on success and zero on 1204 // error. 1205 // 1206 // If unsure, use |X509_CRL_VERSION_2|. Note that, unlike certificates, CRL 1207 // versions are only defined up to v2. Callers should not use |X509_VERSION_3|. 1208 OPENSSL_EXPORT int X509_CRL_set_version(X509_CRL *crl, long version); 1209 1210 // X509_CRL_set_issuer_name sets |crl|'s issuer to a copy of |name|. It returns 1211 // one on success and zero on error. 1212 OPENSSL_EXPORT int X509_CRL_set_issuer_name(X509_CRL *crl, X509_NAME *name); 1213 1214 OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl); 1215 1216 // X509_CRL_up_ref adds one to the reference count of |crl| and returns one. 1217 OPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl); 1218 1219 // X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and 1220 // signature algorithm of |crl|, respectively. Either output pointer may be NULL 1221 // to ignore the value. 1222 // 1223 // This function outputs the outer signature algorithm, not the one in the 1224 // TBSCertList. CRLs with mismatched signature algorithms will successfully 1225 // parse, but they will be rejected when verifying. 1226 OPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl, 1227 const ASN1_BIT_STRING **out_sig, 1228 const X509_ALGOR **out_alg); 1229 1230 // X509_CRL_get_signature_nid returns the NID corresponding to |crl|'s signature 1231 // algorithm, or |NID_undef| if the signature algorithm does not correspond to 1232 // a known NID. 1233 OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl); 1234 1235 // i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|. If |outp| is 1236 // NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is 1237 // written to |*outp|, which must have enough space available, and |*outp| is 1238 // advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it 1239 // sets |*outp| to a newly-allocated buffer containing the result. The caller is 1240 // responsible for releasing the buffer with |OPENSSL_free|. In all cases, this 1241 // function returns the number of bytes in the result, whether written or not, 1242 // or a negative value on error. 1243 // 1244 // This function re-encodes the TBSCertList and may not reflect |crl|'s original 1245 // encoding. It may be used to manually generate a signature for a new CRL. To 1246 // verify CRLs, use |i2d_X509_CRL_tbs| instead. 1247 OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp); 1248 1249 // i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|. If |outp| is 1250 // NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is 1251 // written to |*outp|, which must have enough space available, and |*outp| is 1252 // advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it 1253 // sets |*outp| to a newly-allocated buffer containing the result. The caller is 1254 // responsible for releasing the buffer with |OPENSSL_free|. In all cases, this 1255 // function returns the number of bytes in the result, whether written or not, 1256 // or a negative value on error. 1257 // 1258 // This function preserves the original encoding of the TBSCertList and may not 1259 // reflect modifications made to |crl|. It may be used to manually verify the 1260 // signature of an existing CRL. To generate CRLs, use |i2d_re_X509_CRL_tbs| 1261 // instead. 1262 OPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp); 1263 1264 // X509_CRL_set1_signature_algo sets |crl|'s signature algorithm to |algo| and 1265 // returns one on success or zero on error. It updates both the signature field 1266 // of the TBSCertList structure, and the signatureAlgorithm field of the CRL. 1267 OPENSSL_EXPORT int X509_CRL_set1_signature_algo(X509_CRL *crl, 1268 const X509_ALGOR *algo); 1269 1270 // X509_CRL_set1_signature_value sets |crl|'s signature to a copy of the 1271 // |sig_len| bytes pointed by |sig|. It returns one on success and zero on 1272 // error. 1273 // 1274 // Due to a specification error, X.509 CRLs store signatures in ASN.1 BIT 1275 // STRINGs, but signature algorithms return byte strings rather than bit 1276 // strings. This function creates a BIT STRING containing a whole number of 1277 // bytes, with the bit order matching the DER encoding. This matches the 1278 // encoding used by all X.509 signature algorithms. 1279 OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl, 1280 const uint8_t *sig, 1281 size_t sig_len); 1282 1283 // X509_REVOKED_get0_serialNumber returns the serial number of the certificate 1284 // revoked by |revoked|. 1285 OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber( 1286 const X509_REVOKED *revoked); 1287 1288 // X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It 1289 // returns one on success or zero on error. 1290 OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked, 1291 const ASN1_INTEGER *serial); 1292 1293 // X509_REVOKED_get0_revocationDate returns the revocation time of the 1294 // certificate revoked by |revoked|. 1295 OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate( 1296 const X509_REVOKED *revoked); 1297 1298 // X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It 1299 // returns one on success or zero on error. 1300 OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked, 1301 const ASN1_TIME *tm); 1302 1303 // X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r| 1304 // omits it. 1305 OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions( 1306 const X509_REVOKED *r); 1307 1308 OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, 1309 EVP_PKEY *skey, const EVP_MD *md, 1310 unsigned int flags); 1311 1312 OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey); 1313 1314 OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey); 1315 OPENSSL_EXPORT int X509_chain_check_suiteb(int *perror_depth, X509 *x, 1316 STACK_OF(X509) *chain, 1317 unsigned long flags); 1318 OPENSSL_EXPORT int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, 1319 unsigned long flags); 1320 1321 // X509_chain_up_ref returns a newly-allocated |STACK_OF(X509)| containing a 1322 // shallow copy of |chain|, or NULL on error. That is, the return value has the 1323 // same contents as |chain|, and each |X509|'s reference count is incremented by 1324 // one. 1325 OPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain); 1326 1327 OPENSSL_EXPORT int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b); 1328 1329 OPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b); 1330 OPENSSL_EXPORT unsigned long X509_issuer_name_hash(X509 *a); 1331 1332 OPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b); 1333 OPENSSL_EXPORT unsigned long X509_subject_name_hash(X509 *x); 1334 1335 OPENSSL_EXPORT unsigned long X509_issuer_name_hash_old(X509 *a); 1336 OPENSSL_EXPORT unsigned long X509_subject_name_hash_old(X509 *x); 1337 1338 OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); 1339 OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); 1340 OPENSSL_EXPORT unsigned long X509_NAME_hash(X509_NAME *x); 1341 OPENSSL_EXPORT unsigned long X509_NAME_hash_old(X509_NAME *x); 1342 1343 OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); 1344 OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); 1345 OPENSSL_EXPORT int X509_print_ex_fp(FILE *bp, X509 *x, unsigned long nmflag, 1346 unsigned long cflag); 1347 OPENSSL_EXPORT int X509_print_fp(FILE *bp, X509 *x); 1348 OPENSSL_EXPORT int X509_CRL_print_fp(FILE *bp, X509_CRL *x); 1349 OPENSSL_EXPORT int X509_REQ_print_fp(FILE *bp, X509_REQ *req); 1350 OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, 1351 int indent, unsigned long flags); 1352 1353 OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); 1354 OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, 1355 unsigned long flags); 1356 OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, 1357 unsigned long cflag); 1358 OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x); 1359 OPENSSL_EXPORT int X509_ocspid_print(BIO *bp, X509 *x); 1360 OPENSSL_EXPORT int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent); 1361 OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x); 1362 OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, 1363 unsigned long cflag); 1364 OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req); 1365 1366 OPENSSL_EXPORT int X509_NAME_entry_count(const X509_NAME *name); 1367 OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, 1368 char *buf, int len); 1369 OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name, 1370 const ASN1_OBJECT *obj, char *buf, 1371 int len); 1372 1373 // NOTE: you should be passsing -1, not 0 as lastpos. The functions that use 1374 // lastpos, search after that position on. 1375 OPENSSL_EXPORT int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, 1376 int lastpos); 1377 OPENSSL_EXPORT int X509_NAME_get_index_by_OBJ(const X509_NAME *name, 1378 const ASN1_OBJECT *obj, 1379 int lastpos); 1380 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, 1381 int loc); 1382 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, 1383 int loc); 1384 OPENSSL_EXPORT int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, 1385 int loc, int set); 1386 OPENSSL_EXPORT int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, 1387 int type, 1388 const unsigned char *bytes, 1389 int len, int loc, int set); 1390 OPENSSL_EXPORT int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, 1391 int type, 1392 const unsigned char *bytes, 1393 int len, int loc, int set); 1394 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt( 1395 X509_NAME_ENTRY **ne, const char *field, int type, 1396 const unsigned char *bytes, int len); 1397 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID( 1398 X509_NAME_ENTRY **ne, int nid, int type, const unsigned char *bytes, 1399 int len); 1400 OPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name, 1401 const char *field, int type, 1402 const unsigned char *bytes, 1403 int len, int loc, int set); 1404 OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ( 1405 X509_NAME_ENTRY **ne, const ASN1_OBJECT *obj, int type, 1406 const unsigned char *bytes, int len); 1407 OPENSSL_EXPORT int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, 1408 const ASN1_OBJECT *obj); 1409 OPENSSL_EXPORT int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, 1410 const unsigned char *bytes, 1411 int len); 1412 OPENSSL_EXPORT ASN1_OBJECT *X509_NAME_ENTRY_get_object( 1413 const X509_NAME_ENTRY *ne); 1414 OPENSSL_EXPORT ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne); 1415 1416 // X509v3_get_ext_count returns the number of extensions in |x|. 1417 OPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x); 1418 1419 // X509v3_get_ext_by_NID returns the index of the first extension in |x| with 1420 // type |nid|, or a negative number if not found. If found, callers can use 1421 // |X509v3_get_ext| to look up the extension by index. 1422 // 1423 // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1424 // can thus loop over all matching extensions by first passing -1 and then 1425 // passing the previously-returned value until no match is returned. 1426 OPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, 1427 int nid, int lastpos); 1428 1429 // X509v3_get_ext_by_OBJ behaves like |X509v3_get_ext_by_NID| but looks for 1430 // extensions matching |obj|. 1431 OPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x, 1432 const ASN1_OBJECT *obj, int lastpos); 1433 1434 // X509v3_get_ext_by_critical returns the index of the first extension in |x| 1435 // whose critical bit matches |crit|, or a negative number if no such extension 1436 // was found. 1437 // 1438 // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1439 // can thus loop over all matching extensions by first passing -1 and then 1440 // passing the previously-returned value until no match is returned. 1441 OPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x, 1442 int crit, int lastpos); 1443 1444 // X509v3_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| 1445 // is out of bounds. 1446 OPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, 1447 int loc); 1448 1449 // X509v3_delete_ext removes the extension in |x| at index |loc| and returns the 1450 // removed extension, or NULL if |loc| was out of bounds. If an extension was 1451 // returned, the caller must release it with |X509_EXTENSION_free|. 1452 OPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, 1453 int loc); 1454 1455 // X509v3_add_ext adds a copy of |ex| to the extension list in |*x|. If |*x| is 1456 // NULL, it allocates a new |STACK_OF(X509_EXTENSION)| to hold the copy and sets 1457 // |*x| to the new list. It returns |*x| on success and NULL on error. The 1458 // caller retains ownership of |ex| and can release it independently of |*x|. 1459 // 1460 // The new extension is inserted at index |loc|, shifting extensions to the 1461 // right. If |loc| is -1 or out of bounds, the new extension is appended to the 1462 // list. 1463 OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext( 1464 STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc); 1465 1466 // X509_get_ext_count returns the number of extensions in |x|. 1467 OPENSSL_EXPORT int X509_get_ext_count(const X509 *x); 1468 1469 // X509_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for 1470 // extensions in |x|. 1471 OPENSSL_EXPORT int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos); 1472 1473 // X509_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for 1474 // extensions in |x|. 1475 OPENSSL_EXPORT int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, 1476 int lastpos); 1477 1478 // X509_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but 1479 // searches for extensions in |x|. 1480 OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit, 1481 int lastpos); 1482 1483 // X509_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| is 1484 // out of bounds. 1485 OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc); 1486 1487 // X509_delete_ext removes the extension in |x| at index |loc| and returns the 1488 // removed extension, or NULL if |loc| was out of bounds. If non-NULL, the 1489 // caller must release the result with |X509_EXTENSION_free|. It is also safe, 1490 // but not necessary, to call |X509_EXTENSION_free| if the result is NULL. 1491 OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc); 1492 1493 // X509_add_ext adds a copy of |ex| to |x|. It returns one on success and zero 1494 // on failure. The caller retains ownership of |ex| and can release it 1495 // independently of |x|. 1496 // 1497 // The new extension is inserted at index |loc|, shifting extensions to the 1498 // right. If |loc| is -1 or out of bounds, the new extension is appended to the 1499 // list. 1500 OPENSSL_EXPORT int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); 1501 1502 // X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in 1503 // |x509|'s extension list. 1504 // 1505 // WARNING: This function is difficult to use correctly. See the documentation 1506 // for |X509V3_get_d2i| for details. 1507 OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid, 1508 int *out_critical, int *out_idx); 1509 1510 // X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to 1511 // |x|'s extension list. 1512 // 1513 // WARNING: This function may return zero or -1 on error. The caller must also 1514 // ensure |value|'s type matches |nid|. See the documentation for 1515 // |X509V3_add1_i2d| for details. 1516 OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, 1517 unsigned long flags); 1518 1519 // X509_CRL_get_ext_count returns the number of extensions in |x|. 1520 OPENSSL_EXPORT int X509_CRL_get_ext_count(const X509_CRL *x); 1521 1522 // X509_CRL_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for 1523 // extensions in |x|. 1524 OPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, 1525 int lastpos); 1526 1527 // X509_CRL_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for 1528 // extensions in |x|. 1529 OPENSSL_EXPORT int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, 1530 const ASN1_OBJECT *obj, int lastpos); 1531 1532 // X509_CRL_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but 1533 // searches for extensions in |x|. 1534 OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, 1535 int lastpos); 1536 1537 // X509_CRL_get_ext returns the extension in |x| at index |loc|, or NULL if 1538 // |loc| is out of bounds. 1539 OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); 1540 1541 // X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns 1542 // the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the 1543 // caller must release the result with |X509_EXTENSION_free|. It is also safe, 1544 // but not necessary, to call |X509_EXTENSION_free| if the result is NULL. 1545 OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); 1546 1547 // X509_CRL_add_ext adds a copy of |ex| to |x|. It returns one on success and 1548 // zero on failure. The caller retains ownership of |ex| and can release it 1549 // independently of |x|. 1550 // 1551 // The new extension is inserted at index |loc|, shifting extensions to the 1552 // right. If |loc| is -1 or out of bounds, the new extension is appended to the 1553 // list. 1554 OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc); 1555 1556 // X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the 1557 // extension in |crl|'s extension list. 1558 // 1559 // WARNING: This function is difficult to use correctly. See the documentation 1560 // for |X509V3_get_d2i| for details. 1561 OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, 1562 int *out_critical, int *out_idx); 1563 1564 // X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension 1565 // to |x|'s extension list. 1566 // 1567 // WARNING: This function may return zero or -1 on error. The caller must also 1568 // ensure |value|'s type matches |nid|. See the documentation for 1569 // |X509V3_add1_i2d| for details. 1570 OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, 1571 int crit, unsigned long flags); 1572 1573 // X509_REVOKED_get_ext_count returns the number of extensions in |x|. 1574 OPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x); 1575 1576 // X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches 1577 // for extensions in |x|. 1578 OPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, 1579 int lastpos); 1580 1581 // X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches 1582 // for extensions in |x|. 1583 OPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, 1584 const ASN1_OBJECT *obj, 1585 int lastpos); 1586 1587 // X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| 1588 // but searches for extensions in |x|. 1589 OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, 1590 int crit, int lastpos); 1591 1592 // X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if 1593 // |loc| is out of bounds. 1594 OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, 1595 int loc); 1596 1597 // X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and 1598 // returns the removed extension, or NULL if |loc| was out of bounds. If 1599 // non-NULL, the caller must release the result with |X509_EXTENSION_free|. It 1600 // is also safe, but not necessary, to call |X509_EXTENSION_free| if the result 1601 // is NULL. 1602 OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, 1603 int loc); 1604 1605 // X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success 1606 // and zero on failure. The caller retains ownership of |ex| and can release it 1607 // independently of |x|. 1608 // 1609 // The new extension is inserted at index |loc|, shifting extensions to the 1610 // right. If |loc| is -1 or out of bounds, the new extension is appended to the 1611 // list. 1612 OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, 1613 int loc); 1614 1615 // X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the 1616 // extension in |revoked|'s extension list. 1617 // 1618 // WARNING: This function is difficult to use correctly. See the documentation 1619 // for |X509V3_get_d2i| for details. 1620 OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked, 1621 int nid, int *out_critical, 1622 int *out_idx); 1623 1624 // X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the 1625 // extension to |x|'s extension list. 1626 // 1627 // WARNING: This function may return zero or -1 on error. The caller must also 1628 // ensure |value|'s type matches |nid|. See the documentation for 1629 // |X509V3_add1_i2d| for details. 1630 OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, 1631 void *value, int crit, 1632 unsigned long flags); 1633 1634 // X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|, 1635 // value |data|, and critical bit |crit|. It returns the newly-allocated 1636 // |X509_EXTENSION| on success, and false on error. |nid| should be a |NID_*| 1637 // constant. 1638 // 1639 // If |ex| and |*ex| are both non-NULL, it modifies and returns |*ex| instead of 1640 // creating a new object. If |ex| is non-NULL, but |*ex| is NULL, it sets |*ex| 1641 // to the new |X509_EXTENSION|, in addition to returning the result. 1642 OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_NID( 1643 X509_EXTENSION **ex, int nid, int crit, const ASN1_OCTET_STRING *data); 1644 1645 // X509_EXTENSION_create_by_OBJ behaves like |X509_EXTENSION_create_by_NID|, but 1646 // the extension type is determined by an |ASN1_OBJECT|. 1647 OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_OBJ( 1648 X509_EXTENSION **ex, const ASN1_OBJECT *obj, int crit, 1649 const ASN1_OCTET_STRING *data); 1650 1651 // X509_EXTENSION_set_object sets |ex|'s extension type to |obj|. It returns one 1652 // on success and zero on error. 1653 OPENSSL_EXPORT int X509_EXTENSION_set_object(X509_EXTENSION *ex, 1654 const ASN1_OBJECT *obj); 1655 1656 // X509_EXTENSION_set_critical sets |ex| to critical if |crit| is non-zero and 1657 // to non-critical if |crit| is zero. 1658 OPENSSL_EXPORT int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit); 1659 1660 // X509_EXTENSION_set_data set's |ex|'s extension value to a copy of |data|. It 1661 // returns one on success and zero on error. 1662 OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex, 1663 const ASN1_OCTET_STRING *data); 1664 1665 // X509_EXTENSION_get_object returns |ex|'s extension type. 1666 OPENSSL_EXPORT ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex); 1667 1668 // X509_EXTENSION_get_data returns |ne|'s extension value. 1669 OPENSSL_EXPORT ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne); 1670 1671 // X509_EXTENSION_get_critical returns one if |ex| is critical and zero 1672 // otherwise. 1673 OPENSSL_EXPORT int X509_EXTENSION_get_critical(const X509_EXTENSION *ex); 1674 1675 // X509at_get_attr_count returns the number of attributes in |x|. 1676 OPENSSL_EXPORT int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x); 1677 1678 // X509at_get_attr_by_NID returns the index of the attribute in |x| of type 1679 // |nid|, or a negative number if not found. If found, callers can use 1680 // |X509at_get_attr| to look up the attribute by index. 1681 // 1682 // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1683 // can thus loop over all matching attributes by first passing -1 and then 1684 // passing the previously-returned value until no match is returned. 1685 OPENSSL_EXPORT int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, 1686 int nid, int lastpos); 1687 1688 // X509at_get_attr_by_OBJ behaves like |X509at_get_attr_by_NID| but looks for 1689 // attributes of type |obj|. 1690 OPENSSL_EXPORT int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, 1691 const ASN1_OBJECT *obj, int lastpos); 1692 1693 // X509at_get_attr returns the attribute at index |loc| in |x|, or NULL if 1694 // out of bounds. 1695 OPENSSL_EXPORT X509_ATTRIBUTE *X509at_get_attr( 1696 const STACK_OF(X509_ATTRIBUTE) *x, int loc); 1697 1698 // X509at_delete_attr removes the attribute at index |loc| in |x|. It returns 1699 // the removed attribute to the caller, or NULL if |loc| was out of bounds. If 1700 // non-NULL, the caller must release the result with |X509_ATTRIBUTE_free| when 1701 // done. It is also safe, but not necessary, to call |X509_ATTRIBUTE_free| if 1702 // the result is NULL. 1703 OPENSSL_EXPORT X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, 1704 int loc); 1705 1706 // X509at_add1_attr appends a copy of |attr| to the attribute list in |*x|. If 1707 // |*x| is NULL, it allocates a new |STACK_OF(X509_ATTRIBUTE)| to hold the copy 1708 // and sets |*x| to the new list. It returns |*x| on success and NULL on error. 1709 // The caller retains ownership of |attr| and can release it independently of 1710 // |*x|. 1711 OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr( 1712 STACK_OF(X509_ATTRIBUTE) **x, X509_ATTRIBUTE *attr); 1713 1714 // X509at_add1_attr_by_OBJ behaves like |X509at_add1_attr|, but adds an 1715 // attribute created by |X509_ATTRIBUTE_create_by_OBJ|. 1716 OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ( 1717 STACK_OF(X509_ATTRIBUTE) **x, const ASN1_OBJECT *obj, int type, 1718 const unsigned char *bytes, int len); 1719 1720 // X509at_add1_attr_by_NID behaves like |X509at_add1_attr|, but adds an 1721 // attribute created by |X509_ATTRIBUTE_create_by_NID|. 1722 OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID( 1723 STACK_OF(X509_ATTRIBUTE) **x, int nid, int type, const unsigned char *bytes, 1724 int len); 1725 1726 // X509at_add1_attr_by_txt behaves like |X509at_add1_attr|, but adds an 1727 // attribute created by |X509_ATTRIBUTE_create_by_txt|. 1728 OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt( 1729 STACK_OF(X509_ATTRIBUTE) **x, const char *attrname, int type, 1730 const unsigned char *bytes, int len); 1731 1732 // X509_ATTRIBUTE_create_by_NID returns a newly-allocated |X509_ATTRIBUTE| of 1733 // type |nid|, or NULL on error. The value is determined as in 1734 // |X509_ATTRIBUTE_set1_data|. 1735 // 1736 // If |attr| is non-NULL, the resulting |X509_ATTRIBUTE| is also written to 1737 // |*attr|. If |*attr| was non-NULL when the function was called, |*attr| is 1738 // reused instead of creating a new object. 1739 // 1740 // WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and 1741 // error-prone. See |X509_ATTRIBUTE_set1_data| for details. 1742 // 1743 // WARNING: The object reuse form is deprecated and may be removed in the 1744 // future. It also currently incorrectly appends to the reused object's value 1745 // set rather than overwriting it. 1746 OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID( 1747 X509_ATTRIBUTE **attr, int nid, int attrtype, const void *data, int len); 1748 1749 // X509_ATTRIBUTE_create_by_OBJ behaves like |X509_ATTRIBUTE_create_by_NID| 1750 // except the attribute's type is determined by |obj|. 1751 OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ( 1752 X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, int attrtype, 1753 const void *data, int len); 1754 1755 // X509_ATTRIBUTE_create_by_txt behaves like |X509_ATTRIBUTE_create_by_NID| 1756 // except the attribute's type is determined by calling |OBJ_txt2obj| with 1757 // |attrname|. 1758 OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt( 1759 X509_ATTRIBUTE **attr, const char *attrname, int type, 1760 const unsigned char *bytes, int len); 1761 1762 // X509_ATTRIBUTE_set1_object sets |attr|'s type to |obj|. It returns one on 1763 // success and zero on error. 1764 OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, 1765 const ASN1_OBJECT *obj); 1766 1767 // X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns 1768 // one on success or zero on error. The value is determined as follows: 1769 // 1770 // If |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 string. The 1771 // string is determined by decoding |len| bytes from |data| in the encoding 1772 // specified by |attrtype|, and then re-encoding it in a form appropriate for 1773 // |attr|'s type. If |len| is -1, |strlen(data)| is used instead. See 1774 // |ASN1_STRING_set_by_NID| for details. 1775 // 1776 // TODO(davidben): Document |ASN1_STRING_set_by_NID| so the reference is useful. 1777 // 1778 // Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an 1779 // |ASN1_STRING| type value and the |len| bytes from |data| are copied as the 1780 // type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details. 1781 // 1782 // WARNING: If this form is used to construct a negative INTEGER or ENUMERATED, 1783 // |attrtype| includes the |V_ASN1_NEG| flag for |ASN1_STRING|, but the function 1784 // forgets to clear the flag for |ASN1_TYPE|. This matches OpenSSL but is 1785 // probably a bug. For now, do not use this form with negative values. 1786 // 1787 // Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and 1788 // |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value, 1789 // and |data| is cast to the corresponding pointer type. 1790 // 1791 // WARNING: Despite the name, this function appends to |attr|'s value set, 1792 // rather than overwriting it. To overwrite the value set, create a new 1793 // |X509_ATTRIBUTE| with |X509_ATTRIBUTE_new|. 1794 // 1795 // WARNING: If using the |MBSTRING_*| form, pass a length rather than relying on 1796 // |strlen|. In particular, |strlen| will not behave correctly if the input is 1797 // |MBSTRING_BMP| or |MBSTRING_UNIV|. 1798 // 1799 // WARNING: This function currently misinterprets |V_ASN1_OTHER| as an 1800 // |MBSTRING_*| constant. This matches OpenSSL but means it is impossible to 1801 // construct a value with a non-universal tag. 1802 OPENSSL_EXPORT int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, 1803 const void *data, int len); 1804 1805 // X509_ATTRIBUTE_get0_data returns the |idx|th value of |attr| in a 1806 // type-specific representation to |attrtype|, or NULL if out of bounds or the 1807 // type does not match. |attrtype| is one of the type values in |ASN1_TYPE|. On 1808 // match, the return value uses the same representation as |ASN1_TYPE_set0|. See 1809 // |ASN1_TYPE| for details. 1810 OPENSSL_EXPORT void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, 1811 int attrtype, void *unused); 1812 1813 // X509_ATTRIBUTE_count returns the number of values in |attr|. 1814 OPENSSL_EXPORT int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr); 1815 1816 // X509_ATTRIBUTE_get0_object returns the type of |attr|. 1817 OPENSSL_EXPORT ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr); 1818 1819 // X509_ATTRIBUTE_get0_type returns the |idx|th value in |attr|, or NULL if out 1820 // of bounds. Note this function returns one of |attr|'s values, not the type. 1821 OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, 1822 int idx); 1823 1824 OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); 1825 1826 // lookup a cert from a X509 STACK 1827 OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, 1828 X509_NAME *name, 1829 ASN1_INTEGER *serial); 1830 OPENSSL_EXPORT X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name); 1831 1832 // PKCS#8 utilities 1833 1834 DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) 1835 1836 OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8); 1837 OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey); 1838 1839 OPENSSL_EXPORT int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, 1840 int version, int ptype, void *pval, 1841 unsigned char *penc, int penclen); 1842 OPENSSL_EXPORT int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg, 1843 const unsigned char **pk, int *ppklen, 1844 X509_ALGOR **pa, PKCS8_PRIV_KEY_INFO *p8); 1845 1846 // X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier 1847 // determined by |obj|, |param_type|, and |param_value|, and an encoded 1848 // public key of |key|. On success, it takes ownership of all its parameters and 1849 // returns one. Otherwise, it returns zero. |key| must have been allocated by 1850 // |OPENSSL_malloc|. 1851 // 1852 // |obj|, |param_type|, and |param_value| are interpreted as in 1853 // |X509_ALGOR_set0|. See |X509_ALGOR_set0| for details. 1854 OPENSSL_EXPORT int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, 1855 int param_type, void *param_value, 1856 uint8_t *key, int key_len); 1857 1858 // X509_PUBKEY_get0_param outputs fields of |pub| and returns one. If |out_obj| 1859 // is not NULL, it sets |*out_obj| to AlgorithmIdentifier's OID. If |out_key| 1860 // is not NULL, it sets |*out_key| and |*out_key_len| to the encoded public key. 1861 // If |out_alg| is not NULL, it sets |*out_alg| to the AlgorithmIdentifier. 1862 // 1863 // Note: X.509 SubjectPublicKeyInfo structures store the encoded public key as a 1864 // BIT STRING. |*out_key| and |*out_key_len| will silently pad the key with zero 1865 // bits if |pub| did not contain a whole number of bytes. Use 1866 // |X509_PUBKEY_get0_public_key| to preserve this information. 1867 OPENSSL_EXPORT int X509_PUBKEY_get0_param(ASN1_OBJECT **out_obj, 1868 const uint8_t **out_key, 1869 int *out_key_len, 1870 X509_ALGOR **out_alg, 1871 X509_PUBKEY *pub); 1872 1873 // X509_PUBKEY_get0_public_key returns |pub|'s encoded public key. 1874 OPENSSL_EXPORT const ASN1_BIT_STRING *X509_PUBKEY_get0_public_key( 1875 const X509_PUBKEY *pub); 1876 1877 OPENSSL_EXPORT int X509_check_trust(X509 *x, int id, int flags); 1878 OPENSSL_EXPORT int X509_TRUST_get_count(void); 1879 OPENSSL_EXPORT X509_TRUST *X509_TRUST_get0(int idx); 1880 OPENSSL_EXPORT int X509_TRUST_get_by_id(int id); 1881 OPENSSL_EXPORT int X509_TRUST_add(int id, int flags, 1882 int (*ck)(X509_TRUST *, X509 *, int), 1883 char *name, int arg1, void *arg2); 1884 OPENSSL_EXPORT void X509_TRUST_cleanup(void); 1885 OPENSSL_EXPORT int X509_TRUST_get_flags(const X509_TRUST *xp); 1886 OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp); 1887 OPENSSL_EXPORT int X509_TRUST_get_trust(const X509_TRUST *xp); 1888 1889 1890 typedef struct rsa_pss_params_st { 1891 X509_ALGOR *hashAlgorithm; 1892 X509_ALGOR *maskGenAlgorithm; 1893 ASN1_INTEGER *saltLength; 1894 ASN1_INTEGER *trailerField; 1895 } RSA_PSS_PARAMS; 1896 1897 DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS) 1898 1899 1900 1901 #ifdef __cplusplus 1902 } 1903 #endif 1904 1905 #if !defined(BORINGSSL_NO_CXX) 1906 extern "C++" { 1907 1908 BSSL_NAMESPACE_BEGIN 1909 1910 BORINGSSL_MAKE_DELETER(NETSCAPE_SPKI, NETSCAPE_SPKI_free) 1911 BORINGSSL_MAKE_DELETER(RSA_PSS_PARAMS, RSA_PSS_PARAMS_free) 1912 BORINGSSL_MAKE_DELETER(X509, X509_free) 1913 BORINGSSL_MAKE_UP_REF(X509, X509_up_ref) 1914 BORINGSSL_MAKE_DELETER(X509_ALGOR, X509_ALGOR_free) 1915 BORINGSSL_MAKE_DELETER(X509_ATTRIBUTE, X509_ATTRIBUTE_free) 1916 BORINGSSL_MAKE_DELETER(X509_CRL, X509_CRL_free) 1917 BORINGSSL_MAKE_UP_REF(X509_CRL, X509_CRL_up_ref) 1918 BORINGSSL_MAKE_DELETER(X509_CRL_METHOD, X509_CRL_METHOD_free) 1919 BORINGSSL_MAKE_DELETER(X509_EXTENSION, X509_EXTENSION_free) 1920 BORINGSSL_MAKE_DELETER(X509_INFO, X509_INFO_free) 1921 BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free) 1922 BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free) 1923 BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free) 1924 BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free) 1925 BORINGSSL_MAKE_DELETER(X509_POLICY_TREE, X509_policy_tree_free) 1926 BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free) 1927 BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free) 1928 BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free) 1929 BORINGSSL_MAKE_DELETER(X509_SIG, X509_SIG_free) 1930 BORINGSSL_MAKE_DELETER(X509_STORE, X509_STORE_free) 1931 BORINGSSL_MAKE_UP_REF(X509_STORE, X509_STORE_up_ref) 1932 BORINGSSL_MAKE_DELETER(X509_STORE_CTX, X509_STORE_CTX_free) 1933 BORINGSSL_MAKE_DELETER(X509_VERIFY_PARAM, X509_VERIFY_PARAM_free) 1934 1935 BSSL_NAMESPACE_END 1936 1937 } // extern C++ 1938 #endif // !BORINGSSL_NO_CXX 1939 1940 #define X509_R_AKID_MISMATCH 100 1941 #define X509_R_BAD_PKCS7_VERSION 101 1942 #define X509_R_BAD_X509_FILETYPE 102 1943 #define X509_R_BASE64_DECODE_ERROR 103 1944 #define X509_R_CANT_CHECK_DH_KEY 104 1945 #define X509_R_CERT_ALREADY_IN_HASH_TABLE 105 1946 #define X509_R_CRL_ALREADY_DELTA 106 1947 #define X509_R_CRL_VERIFY_FAILURE 107 1948 #define X509_R_IDP_MISMATCH 108 1949 #define X509_R_INVALID_BIT_STRING_BITS_LEFT 109 1950 #define X509_R_INVALID_DIRECTORY 110 1951 #define X509_R_INVALID_FIELD_NAME 111 1952 #define X509_R_INVALID_PSS_PARAMETERS 112 1953 #define X509_R_INVALID_TRUST 113 1954 #define X509_R_ISSUER_MISMATCH 114 1955 #define X509_R_KEY_TYPE_MISMATCH 115 1956 #define X509_R_KEY_VALUES_MISMATCH 116 1957 #define X509_R_LOADING_CERT_DIR 117 1958 #define X509_R_LOADING_DEFAULTS 118 1959 #define X509_R_NEWER_CRL_NOT_NEWER 119 1960 #define X509_R_NOT_PKCS7_SIGNED_DATA 120 1961 #define X509_R_NO_CERTIFICATES_INCLUDED 121 1962 #define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 122 1963 #define X509_R_NO_CRLS_INCLUDED 123 1964 #define X509_R_NO_CRL_NUMBER 124 1965 #define X509_R_PUBLIC_KEY_DECODE_ERROR 125 1966 #define X509_R_PUBLIC_KEY_ENCODE_ERROR 126 1967 #define X509_R_SHOULD_RETRY 127 1968 #define X509_R_UNKNOWN_KEY_TYPE 128 1969 #define X509_R_UNKNOWN_NID 129 1970 #define X509_R_UNKNOWN_PURPOSE_ID 130 1971 #define X509_R_UNKNOWN_TRUST_ID 131 1972 #define X509_R_UNSUPPORTED_ALGORITHM 132 1973 #define X509_R_WRONG_LOOKUP_TYPE 133 1974 #define X509_R_WRONG_TYPE 134 1975 #define X509_R_NAME_TOO_LONG 135 1976 #define X509_R_INVALID_PARAMETER 136 1977 #define X509_R_SIGNATURE_ALGORITHM_MISMATCH 137 1978 #define X509_R_DELTA_CRL_WITHOUT_CRL_NUMBER 138 1979 #define X509_R_INVALID_FIELD_FOR_VERSION 139 1980 #define X509_R_INVALID_VERSION 140 1981 1982 #endif 1983