1/*
2 * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#ifndef HEADER_X509V3_H
11# define HEADER_X509V3_H
12
13# include <openssl/bio.h>
14# include <openssl/x509.h>
15# include <openssl/conf.h>
16
17#ifdef __cplusplus
18extern "C" {
19#endif
20
21/* Forward reference */
22struct v3_ext_method;
23struct v3_ext_ctx;
24
25/* Useful typedefs */
26
27typedef void *(*X509V3_EXT_NEW)(void);
28typedef void (*X509V3_EXT_FREE) (void *);
29typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long);
30typedef int (*X509V3_EXT_I2D) (void *, unsigned char **);
31typedef STACK_OF(CONF_VALUE) *
32 (*X509V3_EXT_I2V) (const struct v3_ext_method *method, void *ext,
33 STACK_OF(CONF_VALUE) *extlist);
34typedef void *(*X509V3_EXT_V2I)(const struct v3_ext_method *method,
35 struct v3_ext_ctx *ctx,
36 STACK_OF(CONF_VALUE) *values);
37typedef char *(*X509V3_EXT_I2S)(const struct v3_ext_method *method,
38 void *ext);
39typedef void *(*X509V3_EXT_S2I)(const struct v3_ext_method *method,
40 struct v3_ext_ctx *ctx, const char *str);
41typedef int (*X509V3_EXT_I2R) (const struct v3_ext_method *method, void *ext,
42 BIO *out, int indent);
43typedef void *(*X509V3_EXT_R2I)(const struct v3_ext_method *method,
44 struct v3_ext_ctx *ctx, const char *str);
45
46/* V3 extension structure */
47
48struct v3_ext_method {
49 int ext_nid;
50 int ext_flags;
51/* If this is set the following four fields are ignored */
52 ASN1_ITEM_EXP *it;
53/* Old style ASN1 calls */
54 X509V3_EXT_NEW ext_new;
55 X509V3_EXT_FREE ext_free;
56 X509V3_EXT_D2I d2i;
57 X509V3_EXT_I2D i2d;
58/* The following pair is used for string extensions */
59 X509V3_EXT_I2S i2s;
60 X509V3_EXT_S2I s2i;
61/* The following pair is used for multi-valued extensions */
62 X509V3_EXT_I2V i2v;
63 X509V3_EXT_V2I v2i;
64/* The following are used for raw extensions */
65 X509V3_EXT_I2R i2r;
66 X509V3_EXT_R2I r2i;
67 void *usr_data; /* Any extension specific data */
68};
69
70typedef struct X509V3_CONF_METHOD_st {
71 char *(*get_string) (void *db, const char *section, const char *value);
72 STACK_OF(CONF_VALUE) *(*get_section) (void *db, const char *section);
73 void (*free_string) (void *db, char *string);
74 void (*free_section) (void *db, STACK_OF(CONF_VALUE) *section);
75} X509V3_CONF_METHOD;
76
77/* Context specific info */
78struct v3_ext_ctx {
79# define CTX_TEST 0x1
80# define X509V3_CTX_REPLACE 0x2
81 int flags;
82 X509 *issuer_cert;
83 X509 *subject_cert;
84 X509_REQ *subject_req;
85 X509_CRL *crl;
86 X509V3_CONF_METHOD *db_meth;
87 void *db;
88/* Maybe more here */
89};
90
91typedef struct v3_ext_method X509V3_EXT_METHOD;
92
93DEFINE_STACK_OF(X509V3_EXT_METHOD)
94
95/* ext_flags values */
96# define X509V3_EXT_DYNAMIC 0x1
97# define X509V3_EXT_CTX_DEP 0x2
98# define X509V3_EXT_MULTILINE 0x4
99
100typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
101
102typedef struct BASIC_CONSTRAINTS_st {
103 int ca;
104 ASN1_INTEGER *pathlen;
105} BASIC_CONSTRAINTS;
106
107typedef struct PKEY_USAGE_PERIOD_st {
108 ASN1_GENERALIZEDTIME *notBefore;
109 ASN1_GENERALIZEDTIME *notAfter;
110} PKEY_USAGE_PERIOD;
111
112typedef struct otherName_st {
113 ASN1_OBJECT *type_id;
114 ASN1_TYPE *value;
115} OTHERNAME;
116
117typedef struct EDIPartyName_st {
118 ASN1_STRING *nameAssigner;
119 ASN1_STRING *partyName;
120} EDIPARTYNAME;
121
122typedef struct GENERAL_NAME_st {
123# define GEN_OTHERNAME 0
124# define GEN_EMAIL 1
125# define GEN_DNS 2
126# define GEN_X400 3
127# define GEN_DIRNAME 4
128# define GEN_EDIPARTY 5
129# define GEN_URI 6
130# define GEN_IPADD 7
131# define GEN_RID 8
132 int type;
133 union {
134 char *ptr;
135 OTHERNAME *otherName; /* otherName */
136 ASN1_IA5STRING *rfc822Name;
137 ASN1_IA5STRING *dNSName;
138 ASN1_TYPE *x400Address;
139 X509_NAME *directoryName;
140 EDIPARTYNAME *ediPartyName;
141 ASN1_IA5STRING *uniformResourceIdentifier;
142 ASN1_OCTET_STRING *iPAddress;
143 ASN1_OBJECT *registeredID;
144 /* Old names */
145 ASN1_OCTET_STRING *ip; /* iPAddress */
146 X509_NAME *dirn; /* dirn */
147 ASN1_IA5STRING *ia5; /* rfc822Name, dNSName,
148 * uniformResourceIdentifier */
149 ASN1_OBJECT *rid; /* registeredID */
150 ASN1_TYPE *other; /* x400Address */
151 } d;
152} GENERAL_NAME;
153
154typedef struct ACCESS_DESCRIPTION_st {
155 ASN1_OBJECT *method;
156 GENERAL_NAME *location;
157} ACCESS_DESCRIPTION;
158
159typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
160
161typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
162
163typedef STACK_OF(ASN1_INTEGER) TLS_FEATURE;
164
165DEFINE_STACK_OF(GENERAL_NAME)
166typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
167DEFINE_STACK_OF(GENERAL_NAMES)
168
169DEFINE_STACK_OF(ACCESS_DESCRIPTION)
170
171typedef struct DIST_POINT_NAME_st {
172 int type;
173 union {
174 GENERAL_NAMES *fullname;
175 STACK_OF(X509_NAME_ENTRY) *relativename;
176 } name;
177/* If relativename then this contains the full distribution point name */
178 X509_NAME *dpname;
179} DIST_POINT_NAME;
180/* All existing reasons */
181# define CRLDP_ALL_REASONS 0x807f
182
183# define CRL_REASON_NONE -1
184# define CRL_REASON_UNSPECIFIED 0
185# define CRL_REASON_KEY_COMPROMISE 1
186# define CRL_REASON_CA_COMPROMISE 2
187# define CRL_REASON_AFFILIATION_CHANGED 3
188# define CRL_REASON_SUPERSEDED 4
189# define CRL_REASON_CESSATION_OF_OPERATION 5
190# define CRL_REASON_CERTIFICATE_HOLD 6
191# define CRL_REASON_REMOVE_FROM_CRL 8
192# define CRL_REASON_PRIVILEGE_WITHDRAWN 9
193# define CRL_REASON_AA_COMPROMISE 10
194
195struct DIST_POINT_st {
196 DIST_POINT_NAME *distpoint;
197 ASN1_BIT_STRING *reasons;
198 GENERAL_NAMES *CRLissuer;
199 int dp_reasons;
200};
201
202typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
203
204DEFINE_STACK_OF(DIST_POINT)
205
206struct AUTHORITY_KEYID_st {
207 ASN1_OCTET_STRING *keyid;
208 GENERAL_NAMES *issuer;
209 ASN1_INTEGER *serial;
210};
211
212/* Strong extranet structures */
213
214typedef struct SXNET_ID_st {
215 ASN1_INTEGER *zone;
216 ASN1_OCTET_STRING *user;
217} SXNETID;
218
219DEFINE_STACK_OF(SXNETID)
220
221typedef struct SXNET_st {
222 ASN1_INTEGER *version;
223 STACK_OF(SXNETID) *ids;
224} SXNET;
225
226typedef struct NOTICEREF_st {
227 ASN1_STRING *organization;
228 STACK_OF(ASN1_INTEGER) *noticenos;
229} NOTICEREF;
230
231typedef struct USERNOTICE_st {
232 NOTICEREF *noticeref;
233 ASN1_STRING *exptext;
234} USERNOTICE;
235
236typedef struct POLICYQUALINFO_st {
237 ASN1_OBJECT *pqualid;
238 union {
239 ASN1_IA5STRING *cpsuri;
240 USERNOTICE *usernotice;
241 ASN1_TYPE *other;
242 } d;
243} POLICYQUALINFO;
244
245DEFINE_STACK_OF(POLICYQUALINFO)
246
247typedef struct POLICYINFO_st {
248 ASN1_OBJECT *policyid;
249 STACK_OF(POLICYQUALINFO) *qualifiers;
250} POLICYINFO;
251
252typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
253
254DEFINE_STACK_OF(POLICYINFO)
255
256typedef struct POLICY_MAPPING_st {
257 ASN1_OBJECT *issuerDomainPolicy;
258 ASN1_OBJECT *subjectDomainPolicy;
259} POLICY_MAPPING;
260
261DEFINE_STACK_OF(POLICY_MAPPING)
262
263typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
264
265typedef struct GENERAL_SUBTREE_st {
266 GENERAL_NAME *base;
267 ASN1_INTEGER *minimum;
268 ASN1_INTEGER *maximum;
269} GENERAL_SUBTREE;
270
271DEFINE_STACK_OF(GENERAL_SUBTREE)
272
273struct NAME_CONSTRAINTS_st {
274 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
275 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
276};
277
278typedef struct POLICY_CONSTRAINTS_st {
279 ASN1_INTEGER *requireExplicitPolicy;
280 ASN1_INTEGER *inhibitPolicyMapping;
281} POLICY_CONSTRAINTS;
282
283/* Proxy certificate structures, see RFC 3820 */
284typedef struct PROXY_POLICY_st {
285 ASN1_OBJECT *policyLanguage;
286 ASN1_OCTET_STRING *policy;
287} PROXY_POLICY;
288
289typedef struct PROXY_CERT_INFO_EXTENSION_st {
290 ASN1_INTEGER *pcPathLengthConstraint;
291 PROXY_POLICY *proxyPolicy;
292} PROXY_CERT_INFO_EXTENSION;
293
294DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
295DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
296
297struct ISSUING_DIST_POINT_st {
298 DIST_POINT_NAME *distpoint;
299 int onlyuser;
300 int onlyCA;
301 ASN1_BIT_STRING *onlysomereasons;
302 int indirectCRL;
303 int onlyattr;
304};
305
306/* Values in idp_flags field */
307/* IDP present */
308# define IDP_PRESENT 0x1
309/* IDP values inconsistent */
310# define IDP_INVALID 0x2
311/* onlyuser true */
312# define IDP_ONLYUSER 0x4
313/* onlyCA true */
314# define IDP_ONLYCA 0x8
315/* onlyattr true */
316# define IDP_ONLYATTR 0x10
317/* indirectCRL true */
318# define IDP_INDIRECT 0x20
319/* onlysomereasons present */
320# define IDP_REASONS 0x40
321
322# define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
323",name:", val->name, ",value:", val->value);
324
325# define X509V3_set_ctx_test(ctx) \
326 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
327# define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
328
329# define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
330 0,0,0,0, \
331 0,0, \
332 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
333 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
334 NULL, NULL, \
335 table}
336
337# define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
338 0,0,0,0, \
339 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
340 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
341 0,0,0,0, \
342 NULL}
343
344# define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
345
346/* X509_PURPOSE stuff */
347
348# define EXFLAG_BCONS 0x1
349# define EXFLAG_KUSAGE 0x2
350# define EXFLAG_XKUSAGE 0x4
351# define EXFLAG_NSCERT 0x8
352
353# define EXFLAG_CA 0x10
354/* Really self issued not necessarily self signed */
355# define EXFLAG_SI 0x20
356# define EXFLAG_V1 0x40
357# define EXFLAG_INVALID 0x80
358/* EXFLAG_SET is set to indicate that some values have been precomputed */
359# define EXFLAG_SET 0x100
360# define EXFLAG_CRITICAL 0x200
361# define EXFLAG_PROXY 0x400
362
363# define EXFLAG_INVALID_POLICY 0x800
364# define EXFLAG_FRESHEST 0x1000
365/* Self signed */
366# define EXFLAG_SS 0x2000
367
368# define KU_DIGITAL_SIGNATURE 0x0080
369# define KU_NON_REPUDIATION 0x0040
370# define KU_KEY_ENCIPHERMENT 0x0020
371# define KU_DATA_ENCIPHERMENT 0x0010
372# define KU_KEY_AGREEMENT 0x0008
373# define KU_KEY_CERT_SIGN 0x0004
374# define KU_CRL_SIGN 0x0002
375# define KU_ENCIPHER_ONLY 0x0001
376# define KU_DECIPHER_ONLY 0x8000
377
378# define NS_SSL_CLIENT 0x80
379# define NS_SSL_SERVER 0x40
380# define NS_SMIME 0x20
381# define NS_OBJSIGN 0x10
382# define NS_SSL_CA 0x04
383# define NS_SMIME_CA 0x02
384# define NS_OBJSIGN_CA 0x01
385# define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
386
387# define XKU_SSL_SERVER 0x1
388# define XKU_SSL_CLIENT 0x2
389# define XKU_SMIME 0x4
390# define XKU_CODE_SIGN 0x8
391# define XKU_SGC 0x10
392# define XKU_OCSP_SIGN 0x20
393# define XKU_TIMESTAMP 0x40
394# define XKU_DVCS 0x80
395# define XKU_ANYEKU 0x100
396
397# define X509_PURPOSE_DYNAMIC 0x1
398# define X509_PURPOSE_DYNAMIC_NAME 0x2
399
400typedef struct x509_purpose_st {
401 int purpose;
402 int trust; /* Default trust ID */
403 int flags;
404 int (*check_purpose) (const struct x509_purpose_st *, const X509 *, int);
405 char *name;
406 char *sname;
407 void *usr_data;
408} X509_PURPOSE;
409
410# define X509_PURPOSE_SSL_CLIENT 1
411# define X509_PURPOSE_SSL_SERVER 2
412# define X509_PURPOSE_NS_SSL_SERVER 3
413# define X509_PURPOSE_SMIME_SIGN 4
414# define X509_PURPOSE_SMIME_ENCRYPT 5
415# define X509_PURPOSE_CRL_SIGN 6
416# define X509_PURPOSE_ANY 7
417# define X509_PURPOSE_OCSP_HELPER 8
418# define X509_PURPOSE_TIMESTAMP_SIGN 9
419
420# define X509_PURPOSE_MIN 1
421# define X509_PURPOSE_MAX 9
422
423/* Flags for X509V3_EXT_print() */
424
425# define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
426/* Return error for unknown extensions */
427# define X509V3_EXT_DEFAULT 0
428/* Print error for unknown extensions */
429# define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
430/* ASN1 parse unknown extensions */
431# define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
432/* BIO_dump unknown extensions */
433# define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
434
435/* Flags for X509V3_add1_i2d */
436
437# define X509V3_ADD_OP_MASK 0xfL
438# define X509V3_ADD_DEFAULT 0L
439# define X509V3_ADD_APPEND 1L
440# define X509V3_ADD_REPLACE 2L
441# define X509V3_ADD_REPLACE_EXISTING 3L
442# define X509V3_ADD_KEEP_EXISTING 4L
443# define X509V3_ADD_DELETE 5L
444# define X509V3_ADD_SILENT 0x10
445
446DEFINE_STACK_OF(X509_PURPOSE)
447
448DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
449
450DECLARE_ASN1_FUNCTIONS(SXNET)
451DECLARE_ASN1_FUNCTIONS(SXNETID)
452
453int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen);
454int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
455 int userlen);
456int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, const char *user,
457 int userlen);
458
459ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone);
460ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
461ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
462
463DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
464
465DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
466
467DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
468GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
469int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
470
471ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
472 X509V3_CTX *ctx,
473 STACK_OF(CONF_VALUE) *nval);
474STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
475 ASN1_BIT_STRING *bits,
476 STACK_OF(CONF_VALUE) *extlist);
477char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
478ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
479 X509V3_CTX *ctx, const char *str);
480
481STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
482 GENERAL_NAME *gen,
483 STACK_OF(CONF_VALUE) *ret);
484int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
485
486DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
487
488STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
489 GENERAL_NAMES *gen,
490 STACK_OF(CONF_VALUE) *extlist);
491GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
492 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
493
494DECLARE_ASN1_FUNCTIONS(OTHERNAME)
495DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
496int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
497void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
498void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
499int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
500 ASN1_OBJECT *oid, ASN1_TYPE *value);
501int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
502 ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
503
504char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
505 const ASN1_OCTET_STRING *ia5);
506ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
507 X509V3_CTX *ctx, const char *str);
508
509DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
510int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a);
511
512DECLARE_ASN1_ALLOC_FUNCTIONS(TLS_FEATURE)
513
514DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
515DECLARE_ASN1_FUNCTIONS(POLICYINFO)
516DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
517DECLARE_ASN1_FUNCTIONS(USERNOTICE)
518DECLARE_ASN1_FUNCTIONS(NOTICEREF)
519
520DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
521DECLARE_ASN1_FUNCTIONS(DIST_POINT)
522DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
523DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
524
525int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
526
527int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
528int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc);
529
530DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
531DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
532
533DECLARE_ASN1_ITEM(POLICY_MAPPING)
534DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
535DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
536
537DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
538DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
539
540DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
541DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
542
543DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
544DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
545
546GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
547 const X509V3_EXT_METHOD *method,
548 X509V3_CTX *ctx, int gen_type,
549 const char *value, int is_nc);
550
551# ifdef HEADER_CONF_H
552GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
553 X509V3_CTX *ctx, CONF_VALUE *cnf);
554GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
555 const X509V3_EXT_METHOD *method,
556 X509V3_CTX *ctx, CONF_VALUE *cnf,
557 int is_nc);
558void X509V3_conf_free(CONF_VALUE *val);
559
560X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
561 const char *value);
562X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
563 const char *value);
564int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
565 STACK_OF(X509_EXTENSION) **sk);
566int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
567 X509 *cert);
568int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
569 X509_REQ *req);
570int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
571 X509_CRL *crl);
572
573X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
574 X509V3_CTX *ctx, int ext_nid,
575 const char *value);
576X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
577 const char *name, const char *value);
578int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
579 const char *section, X509 *cert);
580int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
581 const char *section, X509_REQ *req);
582int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
583 const char *section, X509_CRL *crl);
584
585int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
586 STACK_OF(CONF_VALUE) **extlist);
587int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool);
588int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint);
589void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
590void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
591# endif
592
593char *X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section);
594STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section);
595void X509V3_string_free(X509V3_CTX *ctx, char *str);
596void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
597void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
598 X509_REQ *req, X509_CRL *crl, int flags);
599
600int X509V3_add_value(const char *name, const char *value,
601 STACK_OF(CONF_VALUE) **extlist);
602int X509V3_add_value_uchar(const char *name, const unsigned char *value,
603 STACK_OF(CONF_VALUE) **extlist);
604int X509V3_add_value_bool(const char *name, int asn1_bool,
605 STACK_OF(CONF_VALUE) **extlist);
606int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
607 STACK_OF(CONF_VALUE) **extlist);
608char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint);
609ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const char *value);
610char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, const ASN1_ENUMERATED *aint);
611char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth,
612 const ASN1_ENUMERATED *aint);
613int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
614int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
615int X509V3_EXT_add_alias(int nid_to, int nid_from);
616void X509V3_EXT_cleanup(void);
617
618const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
619const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
620int X509V3_add_standard_extensions(void);
621STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
622void *X509V3_EXT_d2i(X509_EXTENSION *ext);
623void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
624 int *idx);
625
626X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
627int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
628 int crit, unsigned long flags);
629
630#if OPENSSL_API_COMPAT < 0x10100000L
631/* The new declarations are in crypto.h, but the old ones were here. */
632# define hex_to_string OPENSSL_buf2hexstr
633# define string_to_hex OPENSSL_hexstr2buf
634#endif
635
636void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
637 int ml);
638int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
639 int indent);
640#ifndef OPENSSL_NO_STDIO
641int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
642#endif
643int X509V3_extensions_print(BIO *out, const char *title,
644 const STACK_OF(X509_EXTENSION) *exts,
645 unsigned long flag, int indent);
646
647int X509_check_ca(X509 *x);
648int X509_check_purpose(X509 *x, int id, int ca);
649int X509_supported_extension(X509_EXTENSION *ex);
650int X509_PURPOSE_set(int *p, int purpose);
651int X509_check_issued(X509 *issuer, X509 *subject);
652int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
653void X509_set_proxy_flag(X509 *x);
654void X509_set_proxy_pathlen(X509 *x, long l);
655long X509_get_proxy_pathlen(X509 *x);
656
657uint32_t X509_get_extension_flags(X509 *x);
658uint32_t X509_get_key_usage(X509 *x);
659uint32_t X509_get_extended_key_usage(X509 *x);
660const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
661
662int X509_PURPOSE_get_count(void);
663X509_PURPOSE *X509_PURPOSE_get0(int idx);
664int X509_PURPOSE_get_by_sname(const char *sname);
665int X509_PURPOSE_get_by_id(int id);
666int X509_PURPOSE_add(int id, int trust, int flags,
667 int (*ck) (const X509_PURPOSE *, const X509 *, int),
668 const char *name, const char *sname, void *arg);
669char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
670char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
671int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
672void X509_PURPOSE_cleanup(void);
673int X509_PURPOSE_get_id(const X509_PURPOSE *);
674
675STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
676STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
677void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
678STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
679/* Flags for X509_check_* functions */
680
681/*
682 * Always check subject name for host match even if subject alt names present
683 */
684# define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
685/* Disable wildcard matching for dnsName fields and common name. */
686# define X509_CHECK_FLAG_NO_WILDCARDS 0x2
687/* Wildcards must not match a partial label. */
688# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
689/* Allow (non-partial) wildcards to match multiple labels. */
690# define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
691/* Constraint verifier subdomain patterns to match a single labels. */
692# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
693/* Never check the subject CN */
694# define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
695/*
696 * Match reference identifiers starting with "." to any sub-domain.
697 * This is a non-public flag, turned on implicitly when the subject
698 * reference identity is a DNS name.
699 */
700# define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
701
702int X509_check_host(X509 *x, const char *chk, size_t chklen,
703 unsigned int flags, char **peername);
704int X509_check_email(X509 *x, const char *chk, size_t chklen,
705 unsigned int flags);
706int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
707 unsigned int flags);
708int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags);
709
710ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
711ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
712int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
713 unsigned long chtype);
714
715void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
716DEFINE_STACK_OF(X509_POLICY_NODE)
717
718#ifndef OPENSSL_NO_RFC3779
719typedef struct ASRange_st {
720 ASN1_INTEGER *min, *max;
721} ASRange;
722
723# define ASIdOrRange_id 0
724# define ASIdOrRange_range 1
725
726typedef struct ASIdOrRange_st {
727 int type;
728 union {
729 ASN1_INTEGER *id;
730 ASRange *range;
731 } u;
732} ASIdOrRange;
733
734typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
735DEFINE_STACK_OF(ASIdOrRange)
736
737# define ASIdentifierChoice_inherit 0
738# define ASIdentifierChoice_asIdsOrRanges 1
739
740typedef struct ASIdentifierChoice_st {
741 int type;
742 union {
743 ASN1_NULL *inherit;
744 ASIdOrRanges *asIdsOrRanges;
745 } u;
746} ASIdentifierChoice;
747
748typedef struct ASIdentifiers_st {
749 ASIdentifierChoice *asnum, *rdi;
750} ASIdentifiers;
751
752DECLARE_ASN1_FUNCTIONS(ASRange)
753DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
754DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
755DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
756
757typedef struct IPAddressRange_st {
758 ASN1_BIT_STRING *min, *max;
759} IPAddressRange;
760
761# define IPAddressOrRange_addressPrefix 0
762# define IPAddressOrRange_addressRange 1
763
764typedef struct IPAddressOrRange_st {
765 int type;
766 union {
767 ASN1_BIT_STRING *addressPrefix;
768 IPAddressRange *addressRange;
769 } u;
770} IPAddressOrRange;
771
772typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
773DEFINE_STACK_OF(IPAddressOrRange)
774
775# define IPAddressChoice_inherit 0
776# define IPAddressChoice_addressesOrRanges 1
777
778typedef struct IPAddressChoice_st {
779 int type;
780 union {
781 ASN1_NULL *inherit;
782 IPAddressOrRanges *addressesOrRanges;
783 } u;
784} IPAddressChoice;
785
786typedef struct IPAddressFamily_st {
787 ASN1_OCTET_STRING *addressFamily;
788 IPAddressChoice *ipAddressChoice;
789} IPAddressFamily;
790
791typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
792DEFINE_STACK_OF(IPAddressFamily)
793
794DECLARE_ASN1_FUNCTIONS(IPAddressRange)
795DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
796DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
797DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
798
799/*
800 * API tag for elements of the ASIdentifer SEQUENCE.
801 */
802# define V3_ASID_ASNUM 0
803# define V3_ASID_RDI 1
804
805/*
806 * AFI values, assigned by IANA. It'd be nice to make the AFI
807 * handling code totally generic, but there are too many little things
808 * that would need to be defined for other address families for it to
809 * be worth the trouble.
810 */
811# define IANA_AFI_IPV4 1
812# define IANA_AFI_IPV6 2
813
814/*
815 * Utilities to construct and extract values from RFC3779 extensions,
816 * since some of the encodings (particularly for IP address prefixes
817 * and ranges) are a bit tedious to work with directly.
818 */
819int X509v3_asid_add_inherit(ASIdentifiers *asid, int which);
820int X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
821 ASN1_INTEGER *min, ASN1_INTEGER *max);
822int X509v3_addr_add_inherit(IPAddrBlocks *addr,
823 const unsigned afi, const unsigned *safi);
824int X509v3_addr_add_prefix(IPAddrBlocks *addr,
825 const unsigned afi, const unsigned *safi,
826 unsigned char *a, const int prefixlen);
827int X509v3_addr_add_range(IPAddrBlocks *addr,
828 const unsigned afi, const unsigned *safi,
829 unsigned char *min, unsigned char *max);
830unsigned X509v3_addr_get_afi(const IPAddressFamily *f);
831int X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
832 unsigned char *min, unsigned char *max,
833 const int length);
834
835/*
836 * Canonical forms.
837 */
838int X509v3_asid_is_canonical(ASIdentifiers *asid);
839int X509v3_addr_is_canonical(IPAddrBlocks *addr);
840int X509v3_asid_canonize(ASIdentifiers *asid);
841int X509v3_addr_canonize(IPAddrBlocks *addr);
842
843/*
844 * Tests for inheritance and containment.
845 */
846int X509v3_asid_inherits(ASIdentifiers *asid);
847int X509v3_addr_inherits(IPAddrBlocks *addr);
848int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
849int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
850
851/*
852 * Check whether RFC 3779 extensions nest properly in chains.
853 */
854int X509v3_asid_validate_path(X509_STORE_CTX *);
855int X509v3_addr_validate_path(X509_STORE_CTX *);
856int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
857 ASIdentifiers *ext,
858 int allow_inheritance);
859int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
860 IPAddrBlocks *ext, int allow_inheritance);
861
862#endif /* OPENSSL_NO_RFC3779 */
863
864/* BEGIN ERROR CODES */
865/*
866 * The following lines are auto generated by the script mkerr.pl. Any changes
867 * made after this point may be overwritten when the script is next run.
868 */
869
870int ERR_load_X509V3_strings(void);
871
872/* Error codes for the X509V3 functions. */
873
874/* Function codes. */
875# define X509V3_F_A2I_GENERAL_NAME 164
876# define X509V3_F_ADDR_VALIDATE_PATH_INTERNAL 166
877# define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161
878# define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162
879# define X509V3_F_COPY_EMAIL 122
880# define X509V3_F_COPY_ISSUER 123
881# define X509V3_F_DO_DIRNAME 144
882# define X509V3_F_DO_EXT_I2D 135
883# define X509V3_F_DO_EXT_NCONF 151
884# define X509V3_F_GNAMES_FROM_SECTNAME 156
885# define X509V3_F_I2S_ASN1_ENUMERATED 121
886# define X509V3_F_I2S_ASN1_IA5STRING 149
887# define X509V3_F_I2S_ASN1_INTEGER 120
888# define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
889# define X509V3_F_NOTICE_SECTION 132
890# define X509V3_F_NREF_NOS 133
891# define X509V3_F_POLICY_SECTION 131
892# define X509V3_F_PROCESS_PCI_VALUE 150
893# define X509V3_F_R2I_CERTPOL 130
894# define X509V3_F_R2I_PCI 155
895# define X509V3_F_S2I_ASN1_IA5STRING 100
896# define X509V3_F_S2I_ASN1_INTEGER 108
897# define X509V3_F_S2I_ASN1_OCTET_STRING 112
898# define X509V3_F_S2I_SKEY_ID 115
899# define X509V3_F_SET_DIST_POINT_NAME 158
900# define X509V3_F_SXNET_ADD_ID_ASC 125
901# define X509V3_F_SXNET_ADD_ID_INTEGER 126
902# define X509V3_F_SXNET_ADD_ID_ULONG 127
903# define X509V3_F_SXNET_GET_ID_ASC 128
904# define X509V3_F_SXNET_GET_ID_ULONG 129
905# define X509V3_F_V2I_ASIDENTIFIERS 163
906# define X509V3_F_V2I_ASN1_BIT_STRING 101
907# define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
908# define X509V3_F_V2I_AUTHORITY_KEYID 119
909# define X509V3_F_V2I_BASIC_CONSTRAINTS 102
910# define X509V3_F_V2I_CRLD 134
911# define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
912# define X509V3_F_V2I_GENERAL_NAMES 118
913# define X509V3_F_V2I_GENERAL_NAME_EX 117
914# define X509V3_F_V2I_IDP 157
915# define X509V3_F_V2I_IPADDRBLOCKS 159
916# define X509V3_F_V2I_ISSUER_ALT 153
917# define X509V3_F_V2I_NAME_CONSTRAINTS 147
918# define X509V3_F_V2I_POLICY_CONSTRAINTS 146
919# define X509V3_F_V2I_POLICY_MAPPINGS 145
920# define X509V3_F_V2I_SUBJECT_ALT 154
921# define X509V3_F_V2I_TLS_FEATURE 165
922# define X509V3_F_V3_GENERIC_EXTENSION 116
923# define X509V3_F_X509V3_ADD1_I2D 140
924# define X509V3_F_X509V3_ADD_VALUE 105
925# define X509V3_F_X509V3_EXT_ADD 104
926# define X509V3_F_X509V3_EXT_ADD_ALIAS 106
927# define X509V3_F_X509V3_EXT_I2D 136
928# define X509V3_F_X509V3_EXT_NCONF 152
929# define X509V3_F_X509V3_GET_SECTION 142
930# define X509V3_F_X509V3_GET_STRING 143
931# define X509V3_F_X509V3_GET_VALUE_BOOL 110
932# define X509V3_F_X509V3_PARSE_LIST 109
933# define X509V3_F_X509_PURPOSE_ADD 137
934# define X509V3_F_X509_PURPOSE_SET 141
935
936/* Reason codes. */
937# define X509V3_R_BAD_IP_ADDRESS 118
938# define X509V3_R_BAD_OBJECT 119
939# define X509V3_R_BN_DEC2BN_ERROR 100
940# define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
941# define X509V3_R_DIRNAME_ERROR 149
942# define X509V3_R_DISTPOINT_ALREADY_SET 160
943# define X509V3_R_DUPLICATE_ZONE_ID 133
944# define X509V3_R_ERROR_CONVERTING_ZONE 131
945# define X509V3_R_ERROR_CREATING_EXTENSION 144
946# define X509V3_R_ERROR_IN_EXTENSION 128
947# define X509V3_R_EXPECTED_A_SECTION_NAME 137
948# define X509V3_R_EXTENSION_EXISTS 145
949# define X509V3_R_EXTENSION_NAME_ERROR 115
950# define X509V3_R_EXTENSION_NOT_FOUND 102
951# define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
952# define X509V3_R_EXTENSION_VALUE_ERROR 116
953# define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
954# define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
955# define X509V3_R_INVALID_ASNUMBER 162
956# define X509V3_R_INVALID_ASRANGE 163
957# define X509V3_R_INVALID_BOOLEAN_STRING 104
958# define X509V3_R_INVALID_EXTENSION_STRING 105
959# define X509V3_R_INVALID_INHERITANCE 165
960# define X509V3_R_INVALID_IPADDRESS 166
961# define X509V3_R_INVALID_MULTIPLE_RDNS 161
962# define X509V3_R_INVALID_NAME 106
963# define X509V3_R_INVALID_NULL_ARGUMENT 107
964# define X509V3_R_INVALID_NULL_NAME 108
965# define X509V3_R_INVALID_NULL_VALUE 109
966# define X509V3_R_INVALID_NUMBER 140
967# define X509V3_R_INVALID_NUMBERS 141
968# define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
969# define X509V3_R_INVALID_OPTION 138
970# define X509V3_R_INVALID_POLICY_IDENTIFIER 134
971# define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
972# define X509V3_R_INVALID_PURPOSE 146
973# define X509V3_R_INVALID_SAFI 164
974# define X509V3_R_INVALID_SECTION 135
975# define X509V3_R_INVALID_SYNTAX 143
976# define X509V3_R_ISSUER_DECODE_ERROR 126
977# define X509V3_R_MISSING_VALUE 124
978# define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 142
979# define X509V3_R_NO_CONFIG_DATABASE 136
980# define X509V3_R_NO_ISSUER_CERTIFICATE 121
981# define X509V3_R_NO_ISSUER_DETAILS 127
982# define X509V3_R_NO_POLICY_IDENTIFIER 139
983# define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154
984# define X509V3_R_NO_PUBLIC_KEY 114
985# define X509V3_R_NO_SUBJECT_DETAILS 125
986# define X509V3_R_OPERATION_NOT_DEFINED 148
987# define X509V3_R_OTHERNAME_ERROR 147
988# define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155
989# define X509V3_R_POLICY_PATH_LENGTH 156
990# define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157
991# define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
992# define X509V3_R_SECTION_NOT_FOUND 150
993# define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
994# define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
995# define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
996# define X509V3_R_UNKNOWN_EXTENSION 129
997# define X509V3_R_UNKNOWN_EXTENSION_NAME 130
998# define X509V3_R_UNKNOWN_OPTION 120
999# define X509V3_R_UNSUPPORTED_OPTION 117
1000# define X509V3_R_UNSUPPORTED_TYPE 167
1001# define X509V3_R_USER_TOO_LONG 132
1002
1003# ifdef __cplusplus
1004}
1005# endif
1006#endif
1007