1*8fb009dcSAndroid Build Coastguard Worker /* Copyright (C) 1995-1998 Eric Young ([email protected]) 2*8fb009dcSAndroid Build Coastguard Worker * All rights reserved. 3*8fb009dcSAndroid Build Coastguard Worker * 4*8fb009dcSAndroid Build Coastguard Worker * This package is an SSL implementation written 5*8fb009dcSAndroid Build Coastguard Worker * by Eric Young ([email protected]). 6*8fb009dcSAndroid Build Coastguard Worker * The implementation was written so as to conform with Netscapes SSL. 7*8fb009dcSAndroid Build Coastguard Worker * 8*8fb009dcSAndroid Build Coastguard Worker * This library is free for commercial and non-commercial use as long as 9*8fb009dcSAndroid Build Coastguard Worker * the following conditions are aheared to. The following conditions 10*8fb009dcSAndroid Build Coastguard Worker * apply to all code found in this distribution, be it the RC4, RSA, 11*8fb009dcSAndroid Build Coastguard Worker * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12*8fb009dcSAndroid Build Coastguard Worker * included with this distribution is covered by the same copyright terms 13*8fb009dcSAndroid Build Coastguard Worker * except that the holder is Tim Hudson ([email protected]). 14*8fb009dcSAndroid Build Coastguard Worker * 15*8fb009dcSAndroid Build Coastguard Worker * Copyright remains Eric Young's, and as such any Copyright notices in 16*8fb009dcSAndroid Build Coastguard Worker * the code are not to be removed. 17*8fb009dcSAndroid Build Coastguard Worker * If this package is used in a product, Eric Young should be given attribution 18*8fb009dcSAndroid Build Coastguard Worker * as the author of the parts of the library used. 19*8fb009dcSAndroid Build Coastguard Worker * This can be in the form of a textual message at program startup or 20*8fb009dcSAndroid Build Coastguard Worker * in documentation (online or textual) provided with the package. 21*8fb009dcSAndroid Build Coastguard Worker * 22*8fb009dcSAndroid Build Coastguard Worker * Redistribution and use in source and binary forms, with or without 23*8fb009dcSAndroid Build Coastguard Worker * modification, are permitted provided that the following conditions 24*8fb009dcSAndroid Build Coastguard Worker * are met: 25*8fb009dcSAndroid Build Coastguard Worker * 1. Redistributions of source code must retain the copyright 26*8fb009dcSAndroid Build Coastguard Worker * notice, this list of conditions and the following disclaimer. 27*8fb009dcSAndroid Build Coastguard Worker * 2. Redistributions in binary form must reproduce the above copyright 28*8fb009dcSAndroid Build Coastguard Worker * notice, this list of conditions and the following disclaimer in the 29*8fb009dcSAndroid Build Coastguard Worker * documentation and/or other materials provided with the distribution. 30*8fb009dcSAndroid Build Coastguard Worker * 3. All advertising materials mentioning features or use of this software 31*8fb009dcSAndroid Build Coastguard Worker * must display the following acknowledgement: 32*8fb009dcSAndroid Build Coastguard Worker * "This product includes cryptographic software written by 33*8fb009dcSAndroid Build Coastguard Worker * Eric Young ([email protected])" 34*8fb009dcSAndroid Build Coastguard Worker * The word 'cryptographic' can be left out if the rouines from the library 35*8fb009dcSAndroid Build Coastguard Worker * being used are not cryptographic related :-). 36*8fb009dcSAndroid Build Coastguard Worker * 4. If you include any Windows specific code (or a derivative thereof) from 37*8fb009dcSAndroid Build Coastguard Worker * the apps directory (application code) you must include an acknowledgement: 38*8fb009dcSAndroid Build Coastguard Worker * "This product includes software written by Tim Hudson ([email protected])" 39*8fb009dcSAndroid Build Coastguard Worker * 40*8fb009dcSAndroid Build Coastguard Worker * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41*8fb009dcSAndroid Build Coastguard Worker * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42*8fb009dcSAndroid Build Coastguard Worker * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43*8fb009dcSAndroid Build Coastguard Worker * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44*8fb009dcSAndroid Build Coastguard Worker * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45*8fb009dcSAndroid Build Coastguard Worker * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46*8fb009dcSAndroid Build Coastguard Worker * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47*8fb009dcSAndroid Build Coastguard Worker * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48*8fb009dcSAndroid Build Coastguard Worker * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49*8fb009dcSAndroid Build Coastguard Worker * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50*8fb009dcSAndroid Build Coastguard Worker * SUCH DAMAGE. 51*8fb009dcSAndroid Build Coastguard Worker * 52*8fb009dcSAndroid Build Coastguard Worker * The licence and distribution terms for any publically available version or 53*8fb009dcSAndroid Build Coastguard Worker * derivative of this code cannot be changed. i.e. this code cannot simply be 54*8fb009dcSAndroid Build Coastguard Worker * copied and put under another distribution licence 55*8fb009dcSAndroid Build Coastguard Worker * [including the GNU Public Licence.] 56*8fb009dcSAndroid Build Coastguard Worker */ 57*8fb009dcSAndroid Build Coastguard Worker /* ==================================================================== 58*8fb009dcSAndroid Build Coastguard Worker * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 59*8fb009dcSAndroid Build Coastguard Worker * ECDH support in OpenSSL originally developed by 60*8fb009dcSAndroid Build Coastguard Worker * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 61*8fb009dcSAndroid Build Coastguard Worker */ 62*8fb009dcSAndroid Build Coastguard Worker 63*8fb009dcSAndroid Build Coastguard Worker #ifndef OPENSSL_HEADER_X509_H 64*8fb009dcSAndroid Build Coastguard Worker #define OPENSSL_HEADER_X509_H 65*8fb009dcSAndroid Build Coastguard Worker 66*8fb009dcSAndroid Build Coastguard Worker #include <openssl/base.h> 67*8fb009dcSAndroid Build Coastguard Worker 68*8fb009dcSAndroid Build Coastguard Worker #include <time.h> 69*8fb009dcSAndroid Build Coastguard Worker 70*8fb009dcSAndroid Build Coastguard Worker #include <openssl/asn1.h> 71*8fb009dcSAndroid Build Coastguard Worker #include <openssl/bio.h> 72*8fb009dcSAndroid Build Coastguard Worker #include <openssl/cipher.h> 73*8fb009dcSAndroid Build Coastguard Worker #include <openssl/conf.h> 74*8fb009dcSAndroid Build Coastguard Worker #include <openssl/dh.h> 75*8fb009dcSAndroid Build Coastguard Worker #include <openssl/dsa.h> 76*8fb009dcSAndroid Build Coastguard Worker #include <openssl/ec.h> 77*8fb009dcSAndroid Build Coastguard Worker #include <openssl/ecdh.h> 78*8fb009dcSAndroid Build Coastguard Worker #include <openssl/ecdsa.h> 79*8fb009dcSAndroid Build Coastguard Worker #include <openssl/evp.h> 80*8fb009dcSAndroid Build Coastguard Worker #include <openssl/lhash.h> 81*8fb009dcSAndroid Build Coastguard Worker #include <openssl/obj.h> 82*8fb009dcSAndroid Build Coastguard Worker #include <openssl/pkcs7.h> 83*8fb009dcSAndroid Build Coastguard Worker #include <openssl/pool.h> 84*8fb009dcSAndroid Build Coastguard Worker #include <openssl/rsa.h> 85*8fb009dcSAndroid Build Coastguard Worker #include <openssl/sha.h> 86*8fb009dcSAndroid Build Coastguard Worker #include <openssl/stack.h> 87*8fb009dcSAndroid Build Coastguard Worker #include <openssl/thread.h> 88*8fb009dcSAndroid Build Coastguard Worker #include <openssl/x509v3_errors.h> // IWYU pragma: export 89*8fb009dcSAndroid Build Coastguard Worker 90*8fb009dcSAndroid Build Coastguard Worker #if defined(__cplusplus) 91*8fb009dcSAndroid Build Coastguard Worker extern "C" { 92*8fb009dcSAndroid Build Coastguard Worker #endif 93*8fb009dcSAndroid Build Coastguard Worker 94*8fb009dcSAndroid Build Coastguard Worker 95*8fb009dcSAndroid Build Coastguard Worker // Legacy X.509 library. 96*8fb009dcSAndroid Build Coastguard Worker // 97*8fb009dcSAndroid Build Coastguard Worker // This header is part of OpenSSL's X.509 implementation. It is retained for 98*8fb009dcSAndroid Build Coastguard Worker // compatibility but should not be used by new code. The functions are difficult 99*8fb009dcSAndroid Build Coastguard Worker // to use correctly, and have buggy or non-standard behaviors. They are thus 100*8fb009dcSAndroid Build Coastguard Worker // particularly prone to behavior changes and API removals, as BoringSSL 101*8fb009dcSAndroid Build Coastguard Worker // iterates on these issues. 102*8fb009dcSAndroid Build Coastguard Worker // 103*8fb009dcSAndroid Build Coastguard Worker // In the future, a replacement library will be available. Meanwhile, minimize 104*8fb009dcSAndroid Build Coastguard Worker // dependencies on this header where possible. 105*8fb009dcSAndroid Build Coastguard Worker 106*8fb009dcSAndroid Build Coastguard Worker 107*8fb009dcSAndroid Build Coastguard Worker // Certificates. 108*8fb009dcSAndroid Build Coastguard Worker // 109*8fb009dcSAndroid Build Coastguard Worker // An |X509| object represents an X.509 certificate, defined in RFC 5280. 110*8fb009dcSAndroid Build Coastguard Worker // 111*8fb009dcSAndroid Build Coastguard Worker // Although an |X509| is a mutable object, mutating an |X509| can give incorrect 112*8fb009dcSAndroid Build Coastguard Worker // results. Callers typically obtain |X509|s by parsing some input with 113*8fb009dcSAndroid Build Coastguard Worker // |d2i_X509|, etc. Such objects carry information such as the serialized 114*8fb009dcSAndroid Build Coastguard Worker // TBSCertificate and decoded extensions, which will become inconsistent when 115*8fb009dcSAndroid Build Coastguard Worker // mutated. 116*8fb009dcSAndroid Build Coastguard Worker // 117*8fb009dcSAndroid Build Coastguard Worker // Instead, mutation functions should only be used when issuing new 118*8fb009dcSAndroid Build Coastguard Worker // certificates, as described in a later section. 119*8fb009dcSAndroid Build Coastguard Worker 120*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(X509) 121*8fb009dcSAndroid Build Coastguard Worker 122*8fb009dcSAndroid Build Coastguard Worker // X509 is an |ASN1_ITEM| whose ASN.1 type is X.509 Certificate (RFC 5280) and C 123*8fb009dcSAndroid Build Coastguard Worker // type is |X509*|. 124*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(X509) 125*8fb009dcSAndroid Build Coastguard Worker 126*8fb009dcSAndroid Build Coastguard Worker // X509_up_ref adds one to the reference count of |x509| and returns one. 127*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_up_ref(X509 *x509); 128*8fb009dcSAndroid Build Coastguard Worker 129*8fb009dcSAndroid Build Coastguard Worker // X509_chain_up_ref returns a newly-allocated |STACK_OF(X509)| containing a 130*8fb009dcSAndroid Build Coastguard Worker // shallow copy of |chain|, or NULL on error. That is, the return value has the 131*8fb009dcSAndroid Build Coastguard Worker // same contents as |chain|, and each |X509|'s reference count is incremented by 132*8fb009dcSAndroid Build Coastguard Worker // one. 133*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain); 134*8fb009dcSAndroid Build Coastguard Worker 135*8fb009dcSAndroid Build Coastguard Worker // X509_dup returns a newly-allocated copy of |x509|, or NULL on error. This 136*8fb009dcSAndroid Build Coastguard Worker // function works by serializing the structure, so auxiliary properties (see 137*8fb009dcSAndroid Build Coastguard Worker // |i2d_X509_AUX|) are not preserved. Additionally, if |x509| is incomplete, 138*8fb009dcSAndroid Build Coastguard Worker // this function may fail. 139*8fb009dcSAndroid Build Coastguard Worker // 140*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 141*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |crl| was 142*8fb009dcSAndroid Build Coastguard Worker // mutated. 143*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *X509_dup(X509 *x509); 144*8fb009dcSAndroid Build Coastguard Worker 145*8fb009dcSAndroid Build Coastguard Worker // X509_free decrements |x509|'s reference count and, if zero, releases memory 146*8fb009dcSAndroid Build Coastguard Worker // associated with |x509|. 147*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_free(X509 *x509); 148*8fb009dcSAndroid Build Coastguard Worker 149*8fb009dcSAndroid Build Coastguard Worker // d2i_X509 parses up to |len| bytes from |*inp| as a DER-encoded X.509 150*8fb009dcSAndroid Build Coastguard Worker // Certificate (RFC 5280), as described in |d2i_SAMPLE|. 151*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *d2i_X509(X509 **out, const uint8_t **inp, long len); 152*8fb009dcSAndroid Build Coastguard Worker 153*8fb009dcSAndroid Build Coastguard Worker // X509_parse_from_buffer parses an X.509 structure from |buf| and returns a 154*8fb009dcSAndroid Build Coastguard Worker // fresh X509 or NULL on error. There must not be any trailing data in |buf|. 155*8fb009dcSAndroid Build Coastguard Worker // The returned structure (if any) holds a reference to |buf| rather than 156*8fb009dcSAndroid Build Coastguard Worker // copying parts of it as a normal |d2i_X509| call would do. 157*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf); 158*8fb009dcSAndroid Build Coastguard Worker 159*8fb009dcSAndroid Build Coastguard Worker // i2d_X509 marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280), as 160*8fb009dcSAndroid Build Coastguard Worker // described in |i2d_SAMPLE|. 161*8fb009dcSAndroid Build Coastguard Worker // 162*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 163*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |x509| was 164*8fb009dcSAndroid Build Coastguard Worker // mutated. 165*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509(X509 *x509, uint8_t **outp); 166*8fb009dcSAndroid Build Coastguard Worker 167*8fb009dcSAndroid Build Coastguard Worker // X509_VERSION_* are X.509 version numbers. Note the numerical values of all 168*8fb009dcSAndroid Build Coastguard Worker // defined X.509 versions are one less than the named version. 169*8fb009dcSAndroid Build Coastguard Worker #define X509_VERSION_1 0 170*8fb009dcSAndroid Build Coastguard Worker #define X509_VERSION_2 1 171*8fb009dcSAndroid Build Coastguard Worker #define X509_VERSION_3 2 172*8fb009dcSAndroid Build Coastguard Worker 173*8fb009dcSAndroid Build Coastguard Worker // X509_get_version returns the numerical value of |x509|'s version, which will 174*8fb009dcSAndroid Build Coastguard Worker // be one of the |X509_VERSION_*| constants. 175*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT long X509_get_version(const X509 *x509); 176*8fb009dcSAndroid Build Coastguard Worker 177*8fb009dcSAndroid Build Coastguard Worker // X509_get0_serialNumber returns |x509|'s serial number. 178*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509); 179*8fb009dcSAndroid Build Coastguard Worker 180*8fb009dcSAndroid Build Coastguard Worker // X509_get0_notBefore returns |x509|'s notBefore time. 181*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_TIME *X509_get0_notBefore(const X509 *x509); 182*8fb009dcSAndroid Build Coastguard Worker 183*8fb009dcSAndroid Build Coastguard Worker // X509_get0_notAfter returns |x509|'s notAfter time. 184*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_TIME *X509_get0_notAfter(const X509 *x509); 185*8fb009dcSAndroid Build Coastguard Worker 186*8fb009dcSAndroid Build Coastguard Worker // X509_get_issuer_name returns |x509|'s issuer. 187*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME *X509_get_issuer_name(const X509 *x509); 188*8fb009dcSAndroid Build Coastguard Worker 189*8fb009dcSAndroid Build Coastguard Worker // X509_get_subject_name returns |x509|'s subject. 190*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509); 191*8fb009dcSAndroid Build Coastguard Worker 192*8fb009dcSAndroid Build Coastguard Worker // X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is 193*8fb009dcSAndroid Build Coastguard Worker // not const-correct for legacy reasons. Callers should not modify the returned 194*8fb009dcSAndroid Build Coastguard Worker // object. 195*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509); 196*8fb009dcSAndroid Build Coastguard Worker 197*8fb009dcSAndroid Build Coastguard Worker // X509_get0_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the 198*8fb009dcSAndroid Build Coastguard Worker // public key was unsupported or could not be decoded. The |EVP_PKEY| is cached 199*8fb009dcSAndroid Build Coastguard Worker // in |x509|, so callers must not mutate the result. 200*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *X509_get0_pubkey(const X509 *x509); 201*8fb009dcSAndroid Build Coastguard Worker 202*8fb009dcSAndroid Build Coastguard Worker // X509_get_pubkey behaves like |X509_get0_pubkey| but increments the reference 203*8fb009dcSAndroid Build Coastguard Worker // count on the |EVP_PKEY|. The caller must release the result with 204*8fb009dcSAndroid Build Coastguard Worker // |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |x509|, so callers 205*8fb009dcSAndroid Build Coastguard Worker // must not mutate the result. 206*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(const X509 *x509); 207*8fb009dcSAndroid Build Coastguard Worker 208*8fb009dcSAndroid Build Coastguard Worker // X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public 209*8fb009dcSAndroid Build Coastguard Worker // key. Note this does not contain the AlgorithmIdentifier portion. 210*8fb009dcSAndroid Build Coastguard Worker // 211*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function returns a non-const pointer for OpenSSL compatibility, 212*8fb009dcSAndroid Build Coastguard Worker // but the caller must not modify the resulting object. Doing so will break 213*8fb009dcSAndroid Build Coastguard Worker // internal invariants in |x509|. 214*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509); 215*8fb009dcSAndroid Build Coastguard Worker 216*8fb009dcSAndroid Build Coastguard Worker // X509_check_private_key returns one if |x509|'s public key matches |pkey| and 217*8fb009dcSAndroid Build Coastguard Worker // zero otherwise. 218*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_check_private_key(const X509 *x509, 219*8fb009dcSAndroid Build Coastguard Worker const EVP_PKEY *pkey); 220*8fb009dcSAndroid Build Coastguard Worker 221*8fb009dcSAndroid Build Coastguard Worker // X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the 222*8fb009dcSAndroid Build Coastguard Worker // issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly 223*8fb009dcSAndroid Build Coastguard Worker // outputs |x509|'s subjectUID field to |*out_subject_uid|. 224*8fb009dcSAndroid Build Coastguard Worker // 225*8fb009dcSAndroid Build Coastguard Worker // Callers may pass NULL to either |out_issuer_uid| or |out_subject_uid| to 226*8fb009dcSAndroid Build Coastguard Worker // ignore the corresponding field. 227*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_get0_uids(const X509 *x509, 228*8fb009dcSAndroid Build Coastguard Worker const ASN1_BIT_STRING **out_issuer_uid, 229*8fb009dcSAndroid Build Coastguard Worker const ASN1_BIT_STRING **out_subject_uid); 230*8fb009dcSAndroid Build Coastguard Worker 231*8fb009dcSAndroid Build Coastguard Worker // The following bits are returned from |X509_get_extension_flags|. 232*8fb009dcSAndroid Build Coastguard Worker 233*8fb009dcSAndroid Build Coastguard Worker // EXFLAG_BCONS indicates the certificate has a basic constraints extension. 234*8fb009dcSAndroid Build Coastguard Worker #define EXFLAG_BCONS 0x1 235*8fb009dcSAndroid Build Coastguard Worker // EXFLAG_KUSAGE indicates the certifcate has a key usage extension. 236*8fb009dcSAndroid Build Coastguard Worker #define EXFLAG_KUSAGE 0x2 237*8fb009dcSAndroid Build Coastguard Worker // EXFLAG_XKUSAGE indicates the certifcate has an extended key usage extension. 238*8fb009dcSAndroid Build Coastguard Worker #define EXFLAG_XKUSAGE 0x4 239*8fb009dcSAndroid Build Coastguard Worker // EXFLAG_CA indicates the certificate has a basic constraints extension with 240*8fb009dcSAndroid Build Coastguard Worker // the CA bit set. 241*8fb009dcSAndroid Build Coastguard Worker #define EXFLAG_CA 0x10 242*8fb009dcSAndroid Build Coastguard Worker // EXFLAG_SI indicates the certificate is self-issued, i.e. its subject and 243*8fb009dcSAndroid Build Coastguard Worker // issuer names match. 244*8fb009dcSAndroid Build Coastguard Worker #define EXFLAG_SI 0x20 245*8fb009dcSAndroid Build Coastguard Worker // EXFLAG_V1 indicates an X.509v1 certificate. 246*8fb009dcSAndroid Build Coastguard Worker #define EXFLAG_V1 0x40 247*8fb009dcSAndroid Build Coastguard Worker // EXFLAG_INVALID indicates an error processing some extension. The certificate 248*8fb009dcSAndroid Build Coastguard Worker // should not be accepted. Note the lack of this bit does not imply all 249*8fb009dcSAndroid Build Coastguard Worker // extensions are valid, only those used to compute extension flags. 250*8fb009dcSAndroid Build Coastguard Worker #define EXFLAG_INVALID 0x80 251*8fb009dcSAndroid Build Coastguard Worker // EXFLAG_SET is an internal bit that indicates extension flags were computed. 252*8fb009dcSAndroid Build Coastguard Worker #define EXFLAG_SET 0x100 253*8fb009dcSAndroid Build Coastguard Worker // EXFLAG_CRITICAL indicates an unsupported critical extension. The certificate 254*8fb009dcSAndroid Build Coastguard Worker // should not be accepted. 255*8fb009dcSAndroid Build Coastguard Worker #define EXFLAG_CRITICAL 0x200 256*8fb009dcSAndroid Build Coastguard Worker // EXFLAG_SS indicates the certificate is likely self-signed. That is, if it is 257*8fb009dcSAndroid Build Coastguard Worker // self-issued, its authority key identifier (if any) matches itself, and its 258*8fb009dcSAndroid Build Coastguard Worker // key usage extension (if any) allows certificate signatures. The signature 259*8fb009dcSAndroid Build Coastguard Worker // itself is not checked in computing this bit. 260*8fb009dcSAndroid Build Coastguard Worker #define EXFLAG_SS 0x2000 261*8fb009dcSAndroid Build Coastguard Worker 262*8fb009dcSAndroid Build Coastguard Worker // X509_get_extension_flags decodes a set of extensions from |x509| and returns 263*8fb009dcSAndroid Build Coastguard Worker // a collection of |EXFLAG_*| bits which reflect |x509|. If there was an error 264*8fb009dcSAndroid Build Coastguard Worker // in computing this bitmask, the result will include the |EXFLAG_INVALID| bit. 265*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x509); 266*8fb009dcSAndroid Build Coastguard Worker 267*8fb009dcSAndroid Build Coastguard Worker // X509_get_pathlen returns path length constraint from the basic constraints 268*8fb009dcSAndroid Build Coastguard Worker // extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the 269*8fb009dcSAndroid Build Coastguard Worker // constraint is not present, or if some extension in |x509| was invalid. 270*8fb009dcSAndroid Build Coastguard Worker // 271*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for 272*8fb009dcSAndroid Build Coastguard Worker // invalid extensions. To detect the error case, call 273*8fb009dcSAndroid Build Coastguard Worker // |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. 274*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT long X509_get_pathlen(X509 *x509); 275*8fb009dcSAndroid Build Coastguard Worker 276*8fb009dcSAndroid Build Coastguard Worker // X509v3_KU_* are key usage bits returned from |X509_get_key_usage|. 277*8fb009dcSAndroid Build Coastguard Worker #define X509v3_KU_DIGITAL_SIGNATURE 0x0080 278*8fb009dcSAndroid Build Coastguard Worker #define X509v3_KU_NON_REPUDIATION 0x0040 279*8fb009dcSAndroid Build Coastguard Worker #define X509v3_KU_KEY_ENCIPHERMENT 0x0020 280*8fb009dcSAndroid Build Coastguard Worker #define X509v3_KU_DATA_ENCIPHERMENT 0x0010 281*8fb009dcSAndroid Build Coastguard Worker #define X509v3_KU_KEY_AGREEMENT 0x0008 282*8fb009dcSAndroid Build Coastguard Worker #define X509v3_KU_KEY_CERT_SIGN 0x0004 283*8fb009dcSAndroid Build Coastguard Worker #define X509v3_KU_CRL_SIGN 0x0002 284*8fb009dcSAndroid Build Coastguard Worker #define X509v3_KU_ENCIPHER_ONLY 0x0001 285*8fb009dcSAndroid Build Coastguard Worker #define X509v3_KU_DECIPHER_ONLY 0x8000 286*8fb009dcSAndroid Build Coastguard Worker 287*8fb009dcSAndroid Build Coastguard Worker // X509_get_key_usage returns a bitmask of key usages (see Section 4.2.1.3 of 288*8fb009dcSAndroid Build Coastguard Worker // RFC 5280) which |x509| is valid for. This function only reports the first 16 289*8fb009dcSAndroid Build Coastguard Worker // bits, in a little-endian byte order, but big-endian bit order. That is, bits 290*8fb009dcSAndroid Build Coastguard Worker // 0 though 7 are reported at 1<<7 through 1<<0, and bits 8 through 15 are 291*8fb009dcSAndroid Build Coastguard Worker // reported at 1<<15 through 1<<8. 292*8fb009dcSAndroid Build Coastguard Worker // 293*8fb009dcSAndroid Build Coastguard Worker // Instead of depending on this bit order, callers should compare against the 294*8fb009dcSAndroid Build Coastguard Worker // |X509v3_KU_*| constants. 295*8fb009dcSAndroid Build Coastguard Worker // 296*8fb009dcSAndroid Build Coastguard Worker // If |x509| has no key usage extension, all key usages are valid and this 297*8fb009dcSAndroid Build Coastguard Worker // function returns |UINT32_MAX|. If there was an error processing |x509|'s 298*8fb009dcSAndroid Build Coastguard Worker // extensions, or if the first 16 bits in the key usage extension were all zero, 299*8fb009dcSAndroid Build Coastguard Worker // this function returns zero. 300*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x509); 301*8fb009dcSAndroid Build Coastguard Worker 302*8fb009dcSAndroid Build Coastguard Worker // XKU_* are extended key usage bits returned from 303*8fb009dcSAndroid Build Coastguard Worker // |X509_get_extended_key_usage|. 304*8fb009dcSAndroid Build Coastguard Worker #define XKU_SSL_SERVER 0x1 305*8fb009dcSAndroid Build Coastguard Worker #define XKU_SSL_CLIENT 0x2 306*8fb009dcSAndroid Build Coastguard Worker #define XKU_SMIME 0x4 307*8fb009dcSAndroid Build Coastguard Worker #define XKU_CODE_SIGN 0x8 308*8fb009dcSAndroid Build Coastguard Worker #define XKU_SGC 0x10 309*8fb009dcSAndroid Build Coastguard Worker #define XKU_OCSP_SIGN 0x20 310*8fb009dcSAndroid Build Coastguard Worker #define XKU_TIMESTAMP 0x40 311*8fb009dcSAndroid Build Coastguard Worker #define XKU_DVCS 0x80 312*8fb009dcSAndroid Build Coastguard Worker #define XKU_ANYEKU 0x100 313*8fb009dcSAndroid Build Coastguard Worker 314*8fb009dcSAndroid Build Coastguard Worker // X509_get_extended_key_usage returns a bitmask of extended key usages (see 315*8fb009dcSAndroid Build Coastguard Worker // Section 4.2.1.12 of RFC 5280) which |x509| is valid for. The result will be 316*8fb009dcSAndroid Build Coastguard Worker // a combination of |XKU_*| constants. If checking an extended key usage not 317*8fb009dcSAndroid Build Coastguard Worker // defined above, callers should extract the extended key usage extension 318*8fb009dcSAndroid Build Coastguard Worker // separately, e.g. via |X509_get_ext_d2i|. 319*8fb009dcSAndroid Build Coastguard Worker // 320*8fb009dcSAndroid Build Coastguard Worker // If |x509| has no extended key usage extension, all extended key usages are 321*8fb009dcSAndroid Build Coastguard Worker // valid and this function returns |UINT32_MAX|. If there was an error 322*8fb009dcSAndroid Build Coastguard Worker // processing |x509|'s extensions, or if |x509|'s extended key usage extension 323*8fb009dcSAndroid Build Coastguard Worker // contained no recognized usages, this function returns zero. 324*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x509); 325*8fb009dcSAndroid Build Coastguard Worker 326*8fb009dcSAndroid Build Coastguard Worker // X509_get0_subject_key_id returns |x509|'s subject key identifier, if present. 327*8fb009dcSAndroid Build Coastguard Worker // (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not 328*8fb009dcSAndroid Build Coastguard Worker // present or if some extension in |x509| was invalid. 329*8fb009dcSAndroid Build Coastguard Worker // 330*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for 331*8fb009dcSAndroid Build Coastguard Worker // invalid extensions. To detect the error case, call 332*8fb009dcSAndroid Build Coastguard Worker // |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. 333*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509); 334*8fb009dcSAndroid Build Coastguard Worker 335*8fb009dcSAndroid Build Coastguard Worker // X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key 336*8fb009dcSAndroid Build Coastguard Worker // identifier, if the extension and field are present. (See RFC 5280, 337*8fb009dcSAndroid Build Coastguard Worker // section 4.2.1.1.) It returns NULL if the extension is not present, if it is 338*8fb009dcSAndroid Build Coastguard Worker // present but lacks a keyIdentifier field, or if some extension in |x509| was 339*8fb009dcSAndroid Build Coastguard Worker // invalid. 340*8fb009dcSAndroid Build Coastguard Worker // 341*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for 342*8fb009dcSAndroid Build Coastguard Worker // invalid extensions. To detect the error case, call 343*8fb009dcSAndroid Build Coastguard Worker // |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. 344*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509); 345*8fb009dcSAndroid Build Coastguard Worker 346*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(GENERAL_NAME) 347*8fb009dcSAndroid Build Coastguard Worker typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; 348*8fb009dcSAndroid Build Coastguard Worker 349*8fb009dcSAndroid Build Coastguard Worker // X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s 350*8fb009dcSAndroid Build Coastguard Worker // authority key identifier, if the extension and field are present. (See 351*8fb009dcSAndroid Build Coastguard Worker // RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, 352*8fb009dcSAndroid Build Coastguard Worker // if it is present but lacks a authorityCertIssuer field, or if some extension 353*8fb009dcSAndroid Build Coastguard Worker // in |x509| was invalid. 354*8fb009dcSAndroid Build Coastguard Worker // 355*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for 356*8fb009dcSAndroid Build Coastguard Worker // invalid extensions. To detect the error case, call 357*8fb009dcSAndroid Build Coastguard Worker // |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. 358*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509); 359*8fb009dcSAndroid Build Coastguard Worker 360*8fb009dcSAndroid Build Coastguard Worker // X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s 361*8fb009dcSAndroid Build Coastguard Worker // authority key identifier, if the extension and field are present. (See 362*8fb009dcSAndroid Build Coastguard Worker // RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, 363*8fb009dcSAndroid Build Coastguard Worker // if it is present but lacks a authorityCertSerialNumber field, or if some 364*8fb009dcSAndroid Build Coastguard Worker // extension in |x509| was invalid. 365*8fb009dcSAndroid Build Coastguard Worker // 366*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for 367*8fb009dcSAndroid Build Coastguard Worker // invalid extensions. To detect the error case, call 368*8fb009dcSAndroid Build Coastguard Worker // |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. 369*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509); 370*8fb009dcSAndroid Build Coastguard Worker 371*8fb009dcSAndroid Build Coastguard Worker // X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits 372*8fb009dcSAndroid Build Coastguard Worker // it. 373*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions( 374*8fb009dcSAndroid Build Coastguard Worker const X509 *x509); 375*8fb009dcSAndroid Build Coastguard Worker 376*8fb009dcSAndroid Build Coastguard Worker // X509_get_ext_count returns the number of extensions in |x|. 377*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_get_ext_count(const X509 *x); 378*8fb009dcSAndroid Build Coastguard Worker 379*8fb009dcSAndroid Build Coastguard Worker // X509_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for 380*8fb009dcSAndroid Build Coastguard Worker // extensions in |x|. 381*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos); 382*8fb009dcSAndroid Build Coastguard Worker 383*8fb009dcSAndroid Build Coastguard Worker // X509_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for 384*8fb009dcSAndroid Build Coastguard Worker // extensions in |x|. 385*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, 386*8fb009dcSAndroid Build Coastguard Worker int lastpos); 387*8fb009dcSAndroid Build Coastguard Worker 388*8fb009dcSAndroid Build Coastguard Worker // X509_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but 389*8fb009dcSAndroid Build Coastguard Worker // searches for extensions in |x|. 390*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit, 391*8fb009dcSAndroid Build Coastguard Worker int lastpos); 392*8fb009dcSAndroid Build Coastguard Worker 393*8fb009dcSAndroid Build Coastguard Worker // X509_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| is 394*8fb009dcSAndroid Build Coastguard Worker // out of bounds. This function returns a non-const pointer for OpenSSL 395*8fb009dcSAndroid Build Coastguard Worker // compatibility, but callers should not mutate the result. 396*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc); 397*8fb009dcSAndroid Build Coastguard Worker 398*8fb009dcSAndroid Build Coastguard Worker // X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in 399*8fb009dcSAndroid Build Coastguard Worker // |x509|'s extension list. 400*8fb009dcSAndroid Build Coastguard Worker // 401*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function is difficult to use correctly. See the documentation 402*8fb009dcSAndroid Build Coastguard Worker // for |X509V3_get_d2i| for details. 403*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid, 404*8fb009dcSAndroid Build Coastguard Worker int *out_critical, int *out_idx); 405*8fb009dcSAndroid Build Coastguard Worker 406*8fb009dcSAndroid Build Coastguard Worker // X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s 407*8fb009dcSAndroid Build Coastguard Worker // TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|. 408*8fb009dcSAndroid Build Coastguard Worker // 409*8fb009dcSAndroid Build Coastguard Worker // Certificates with mismatched signature algorithms will successfully parse, 410*8fb009dcSAndroid Build Coastguard Worker // but they will be rejected when verifying. 411*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x509); 412*8fb009dcSAndroid Build Coastguard Worker 413*8fb009dcSAndroid Build Coastguard Worker // X509_get0_signature sets |*out_sig| and |*out_alg| to the signature and 414*8fb009dcSAndroid Build Coastguard Worker // signature algorithm of |x509|, respectively. Either output pointer may be 415*8fb009dcSAndroid Build Coastguard Worker // NULL to ignore the value. 416*8fb009dcSAndroid Build Coastguard Worker // 417*8fb009dcSAndroid Build Coastguard Worker // This function outputs the outer signature algorithm. For the one in the 418*8fb009dcSAndroid Build Coastguard Worker // TBSCertificate, see |X509_get0_tbs_sigalg|. Certificates with mismatched 419*8fb009dcSAndroid Build Coastguard Worker // signature algorithms will successfully parse, but they will be rejected when 420*8fb009dcSAndroid Build Coastguard Worker // verifying. 421*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig, 422*8fb009dcSAndroid Build Coastguard Worker const X509_ALGOR **out_alg, 423*8fb009dcSAndroid Build Coastguard Worker const X509 *x509); 424*8fb009dcSAndroid Build Coastguard Worker 425*8fb009dcSAndroid Build Coastguard Worker // X509_get_signature_nid returns the NID corresponding to |x509|'s signature 426*8fb009dcSAndroid Build Coastguard Worker // algorithm, or |NID_undef| if the signature algorithm does not correspond to 427*8fb009dcSAndroid Build Coastguard Worker // a known NID. 428*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509); 429*8fb009dcSAndroid Build Coastguard Worker 430*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_tbs serializes the TBSCertificate portion of |x509|, as described in 431*8fb009dcSAndroid Build Coastguard Worker // |i2d_SAMPLE|. 432*8fb009dcSAndroid Build Coastguard Worker // 433*8fb009dcSAndroid Build Coastguard Worker // This function preserves the original encoding of the TBSCertificate and may 434*8fb009dcSAndroid Build Coastguard Worker // not reflect modifications made to |x509|. It may be used to manually verify 435*8fb009dcSAndroid Build Coastguard Worker // the signature of an existing certificate. To generate certificates, use 436*8fb009dcSAndroid Build Coastguard Worker // |i2d_re_X509_tbs| instead. 437*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp); 438*8fb009dcSAndroid Build Coastguard Worker 439*8fb009dcSAndroid Build Coastguard Worker // X509_verify checks that |x509| has a valid signature by |pkey|. It returns 440*8fb009dcSAndroid Build Coastguard Worker // one if the signature is valid and zero otherwise. Note this function only 441*8fb009dcSAndroid Build Coastguard Worker // checks the signature itself and does not perform a full certificate 442*8fb009dcSAndroid Build Coastguard Worker // validation. 443*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_verify(X509 *x509, EVP_PKEY *pkey); 444*8fb009dcSAndroid Build Coastguard Worker 445*8fb009dcSAndroid Build Coastguard Worker // X509_get1_email returns a newly-allocated list of NUL-terminated strings 446*8fb009dcSAndroid Build Coastguard Worker // containing all email addresses in |x509|'s subject and all rfc822name names 447*8fb009dcSAndroid Build Coastguard Worker // in |x509|'s subject alternative names. Email addresses which contain embedded 448*8fb009dcSAndroid Build Coastguard Worker // NUL bytes are skipped. 449*8fb009dcSAndroid Build Coastguard Worker // 450*8fb009dcSAndroid Build Coastguard Worker // On error, or if there are no such email addresses, it returns NULL. When 451*8fb009dcSAndroid Build Coastguard Worker // done, the caller must release the result with |X509_email_free|. 452*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_email(const X509 *x509); 453*8fb009dcSAndroid Build Coastguard Worker 454*8fb009dcSAndroid Build Coastguard Worker // X509_get1_ocsp returns a newly-allocated list of NUL-terminated strings 455*8fb009dcSAndroid Build Coastguard Worker // containing all OCSP URIs in |x509|. That is, it collects all URI 456*8fb009dcSAndroid Build Coastguard Worker // AccessDescriptions with an accessMethod of id-ad-ocsp in |x509|'s authority 457*8fb009dcSAndroid Build Coastguard Worker // information access extension. URIs which contain embedded NUL bytes are 458*8fb009dcSAndroid Build Coastguard Worker // skipped. 459*8fb009dcSAndroid Build Coastguard Worker // 460*8fb009dcSAndroid Build Coastguard Worker // On error, or if there are no such URIs, it returns NULL. When done, the 461*8fb009dcSAndroid Build Coastguard Worker // caller must release the result with |X509_email_free|. 462*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(const X509 *x509); 463*8fb009dcSAndroid Build Coastguard Worker 464*8fb009dcSAndroid Build Coastguard Worker // X509_email_free releases memory associated with |sk|, including |sk| itself. 465*8fb009dcSAndroid Build Coastguard Worker // Each |OPENSSL_STRING| in |sk| must be a NUL-terminated string allocated with 466*8fb009dcSAndroid Build Coastguard Worker // |OPENSSL_malloc|. If |sk| is NULL, no action is taken. 467*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_email_free(STACK_OF(OPENSSL_STRING) *sk); 468*8fb009dcSAndroid Build Coastguard Worker 469*8fb009dcSAndroid Build Coastguard Worker // X509_cmp compares |a| and |b| and returns zero if they are equal, a negative 470*8fb009dcSAndroid Build Coastguard Worker // number if |b| sorts after |a| and a negative number if |a| sorts after |b|. 471*8fb009dcSAndroid Build Coastguard Worker // The sort order implemented by this function is arbitrary and does not 472*8fb009dcSAndroid Build Coastguard Worker // reflect properties of the certificate such as expiry. Applications should not 473*8fb009dcSAndroid Build Coastguard Worker // rely on the order itself. 474*8fb009dcSAndroid Build Coastguard Worker // 475*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/355): This function works by comparing a 476*8fb009dcSAndroid Build Coastguard Worker // cached hash of the encoded certificate. If |a| or |b| could not be 477*8fb009dcSAndroid Build Coastguard Worker // serialized, the current behavior is to compare all unencodable certificates 478*8fb009dcSAndroid Build Coastguard Worker // as equal. This function should only be used with |X509| objects that were 479*8fb009dcSAndroid Build Coastguard Worker // parsed from bytes and never mutated. 480*8fb009dcSAndroid Build Coastguard Worker // 481*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function is const, but it is not 482*8fb009dcSAndroid Build Coastguard Worker // always thread-safe, notably if |a| and |b| were mutated. 483*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); 484*8fb009dcSAndroid Build Coastguard Worker 485*8fb009dcSAndroid Build Coastguard Worker 486*8fb009dcSAndroid Build Coastguard Worker // Issuing certificates. 487*8fb009dcSAndroid Build Coastguard Worker // 488*8fb009dcSAndroid Build Coastguard Worker // An |X509| object may also represent an incomplete certificate. Callers may 489*8fb009dcSAndroid Build Coastguard Worker // construct empty |X509| objects, fill in fields individually, and finally sign 490*8fb009dcSAndroid Build Coastguard Worker // the result. The following functions may be used for this purpose. 491*8fb009dcSAndroid Build Coastguard Worker 492*8fb009dcSAndroid Build Coastguard Worker // X509_new returns a newly-allocated, empty |X509| object, or NULL on error. 493*8fb009dcSAndroid Build Coastguard Worker // This produces an incomplete certificate which may be filled in to issue a new 494*8fb009dcSAndroid Build Coastguard Worker // certificate. 495*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *X509_new(void); 496*8fb009dcSAndroid Build Coastguard Worker 497*8fb009dcSAndroid Build Coastguard Worker // X509_set_version sets |x509|'s version to |version|, which should be one of 498*8fb009dcSAndroid Build Coastguard Worker // the |X509V_VERSION_*| constants. It returns one on success and zero on error. 499*8fb009dcSAndroid Build Coastguard Worker // 500*8fb009dcSAndroid Build Coastguard Worker // If unsure, use |X509_VERSION_3|. 501*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set_version(X509 *x509, long version); 502*8fb009dcSAndroid Build Coastguard Worker 503*8fb009dcSAndroid Build Coastguard Worker // X509_set_serialNumber sets |x509|'s serial number to |serial|. It returns one 504*8fb009dcSAndroid Build Coastguard Worker // on success and zero on error. 505*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set_serialNumber(X509 *x509, 506*8fb009dcSAndroid Build Coastguard Worker const ASN1_INTEGER *serial); 507*8fb009dcSAndroid Build Coastguard Worker 508*8fb009dcSAndroid Build Coastguard Worker // X509_set1_notBefore sets |x509|'s notBefore time to |tm|. It returns one on 509*8fb009dcSAndroid Build Coastguard Worker // success and zero on error. 510*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set1_notBefore(X509 *x509, const ASN1_TIME *tm); 511*8fb009dcSAndroid Build Coastguard Worker 512*8fb009dcSAndroid Build Coastguard Worker // X509_set1_notAfter sets |x509|'s notAfter time to |tm|. it returns one on 513*8fb009dcSAndroid Build Coastguard Worker // success and zero on error. 514*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set1_notAfter(X509 *x509, const ASN1_TIME *tm); 515*8fb009dcSAndroid Build Coastguard Worker 516*8fb009dcSAndroid Build Coastguard Worker // X509_getm_notBefore returns a mutable pointer to |x509|'s notBefore time. 517*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_TIME *X509_getm_notBefore(X509 *x509); 518*8fb009dcSAndroid Build Coastguard Worker 519*8fb009dcSAndroid Build Coastguard Worker // X509_getm_notAfter returns a mutable pointer to |x509|'s notAfter time. 520*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_TIME *X509_getm_notAfter(X509 *x); 521*8fb009dcSAndroid Build Coastguard Worker 522*8fb009dcSAndroid Build Coastguard Worker // X509_set_issuer_name sets |x509|'s issuer to a copy of |name|. It returns one 523*8fb009dcSAndroid Build Coastguard Worker // on success and zero on error. 524*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set_issuer_name(X509 *x509, X509_NAME *name); 525*8fb009dcSAndroid Build Coastguard Worker 526*8fb009dcSAndroid Build Coastguard Worker // X509_set_subject_name sets |x509|'s subject to a copy of |name|. It returns 527*8fb009dcSAndroid Build Coastguard Worker // one on success and zero on error. 528*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set_subject_name(X509 *x509, X509_NAME *name); 529*8fb009dcSAndroid Build Coastguard Worker 530*8fb009dcSAndroid Build Coastguard Worker // X509_set_pubkey sets |x509|'s public key to |pkey|. It returns one on success 531*8fb009dcSAndroid Build Coastguard Worker // and zero on error. This function does not take ownership of |pkey| and 532*8fb009dcSAndroid Build Coastguard Worker // internally copies and updates reference counts as needed. 533*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set_pubkey(X509 *x509, EVP_PKEY *pkey); 534*8fb009dcSAndroid Build Coastguard Worker 535*8fb009dcSAndroid Build Coastguard Worker // X509_delete_ext removes the extension in |x| at index |loc| and returns the 536*8fb009dcSAndroid Build Coastguard Worker // removed extension, or NULL if |loc| was out of bounds. If non-NULL, the 537*8fb009dcSAndroid Build Coastguard Worker // caller must release the result with |X509_EXTENSION_free|. 538*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc); 539*8fb009dcSAndroid Build Coastguard Worker 540*8fb009dcSAndroid Build Coastguard Worker // X509_add_ext adds a copy of |ex| to |x|. It returns one on success and zero 541*8fb009dcSAndroid Build Coastguard Worker // on failure. The caller retains ownership of |ex| and can release it 542*8fb009dcSAndroid Build Coastguard Worker // independently of |x|. 543*8fb009dcSAndroid Build Coastguard Worker // 544*8fb009dcSAndroid Build Coastguard Worker // The new extension is inserted at index |loc|, shifting extensions to the 545*8fb009dcSAndroid Build Coastguard Worker // right. If |loc| is -1 or out of bounds, the new extension is appended to the 546*8fb009dcSAndroid Build Coastguard Worker // list. 547*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc); 548*8fb009dcSAndroid Build Coastguard Worker 549*8fb009dcSAndroid Build Coastguard Worker // X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to 550*8fb009dcSAndroid Build Coastguard Worker // |x|'s extension list. 551*8fb009dcSAndroid Build Coastguard Worker // 552*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function may return zero or -1 on error. The caller must also 553*8fb009dcSAndroid Build Coastguard Worker // ensure |value|'s type matches |nid|. See the documentation for 554*8fb009dcSAndroid Build Coastguard Worker // |X509V3_add1_i2d| for details. 555*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, 556*8fb009dcSAndroid Build Coastguard Worker unsigned long flags); 557*8fb009dcSAndroid Build Coastguard Worker 558*8fb009dcSAndroid Build Coastguard Worker // X509_sign signs |x509| with |pkey| and replaces the signature algorithm and 559*8fb009dcSAndroid Build Coastguard Worker // signature fields. It returns the length of the signature on success and zero 560*8fb009dcSAndroid Build Coastguard Worker // on error. This function uses digest algorithm |md|, or |pkey|'s default if 561*8fb009dcSAndroid Build Coastguard Worker // NULL. Other signing parameters use |pkey|'s defaults. To customize them, use 562*8fb009dcSAndroid Build Coastguard Worker // |X509_sign_ctx|. 563*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md); 564*8fb009dcSAndroid Build Coastguard Worker 565*8fb009dcSAndroid Build Coastguard Worker // X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm 566*8fb009dcSAndroid Build Coastguard Worker // and signature fields. It returns the length of the signature on success and 567*8fb009dcSAndroid Build Coastguard Worker // zero on error. The signature algorithm and parameters come from |ctx|, which 568*8fb009dcSAndroid Build Coastguard Worker // must have been initialized with |EVP_DigestSignInit|. The caller should 569*8fb009dcSAndroid Build Coastguard Worker // configure the corresponding |EVP_PKEY_CTX| before calling this function. 570*8fb009dcSAndroid Build Coastguard Worker // 571*8fb009dcSAndroid Build Coastguard Worker // On success or failure, this function mutates |ctx| and resets it to the empty 572*8fb009dcSAndroid Build Coastguard Worker // state. Caller should not rely on its contents after the function returns. 573*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx); 574*8fb009dcSAndroid Build Coastguard Worker 575*8fb009dcSAndroid Build Coastguard Worker // i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described 576*8fb009dcSAndroid Build Coastguard Worker // in |i2d_SAMPLE|. 577*8fb009dcSAndroid Build Coastguard Worker // 578*8fb009dcSAndroid Build Coastguard Worker // This function re-encodes the TBSCertificate and may not reflect |x509|'s 579*8fb009dcSAndroid Build Coastguard Worker // original encoding. It may be used to manually generate a signature for a new 580*8fb009dcSAndroid Build Coastguard Worker // certificate. To verify certificates, use |i2d_X509_tbs| instead. 581*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, unsigned char **outp); 582*8fb009dcSAndroid Build Coastguard Worker 583*8fb009dcSAndroid Build Coastguard Worker // X509_set1_signature_algo sets |x509|'s signature algorithm to |algo| and 584*8fb009dcSAndroid Build Coastguard Worker // returns one on success or zero on error. It updates both the signature field 585*8fb009dcSAndroid Build Coastguard Worker // of the TBSCertificate structure, and the signatureAlgorithm field of the 586*8fb009dcSAndroid Build Coastguard Worker // Certificate. 587*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo); 588*8fb009dcSAndroid Build Coastguard Worker 589*8fb009dcSAndroid Build Coastguard Worker // X509_set1_signature_value sets |x509|'s signature to a copy of the |sig_len| 590*8fb009dcSAndroid Build Coastguard Worker // bytes pointed by |sig|. It returns one on success and zero on error. 591*8fb009dcSAndroid Build Coastguard Worker // 592*8fb009dcSAndroid Build Coastguard Worker // Due to a specification error, X.509 certificates store signatures in ASN.1 593*8fb009dcSAndroid Build Coastguard Worker // BIT STRINGs, but signature algorithms return byte strings rather than bit 594*8fb009dcSAndroid Build Coastguard Worker // strings. This function creates a BIT STRING containing a whole number of 595*8fb009dcSAndroid Build Coastguard Worker // bytes, with the bit order matching the DER encoding. This matches the 596*8fb009dcSAndroid Build Coastguard Worker // encoding used by all X.509 signature algorithms. 597*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig, 598*8fb009dcSAndroid Build Coastguard Worker size_t sig_len); 599*8fb009dcSAndroid Build Coastguard Worker 600*8fb009dcSAndroid Build Coastguard Worker 601*8fb009dcSAndroid Build Coastguard Worker // Auxiliary certificate properties. 602*8fb009dcSAndroid Build Coastguard Worker // 603*8fb009dcSAndroid Build Coastguard Worker // |X509| objects optionally maintain auxiliary properties. These are not part 604*8fb009dcSAndroid Build Coastguard Worker // of the certificates themselves, and thus are not covered by signatures or 605*8fb009dcSAndroid Build Coastguard Worker // preserved by the standard serialization. They are used as inputs or outputs 606*8fb009dcSAndroid Build Coastguard Worker // to other functions in this library. 607*8fb009dcSAndroid Build Coastguard Worker 608*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_AUX marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280), 609*8fb009dcSAndroid Build Coastguard Worker // followed optionally by a separate, OpenSSL-specific structure with auxiliary 610*8fb009dcSAndroid Build Coastguard Worker // properties. It behaves as described in |i2d_SAMPLE|. 611*8fb009dcSAndroid Build Coastguard Worker // 612*8fb009dcSAndroid Build Coastguard Worker // Unlike similarly-named functions, this function does not output a single 613*8fb009dcSAndroid Build Coastguard Worker // ASN.1 element. Directly embedding the output in a larger ASN.1 structure will 614*8fb009dcSAndroid Build Coastguard Worker // not behave correctly. 615*8fb009dcSAndroid Build Coastguard Worker // 616*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/407): |x509| should be const. 617*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, uint8_t **outp); 618*8fb009dcSAndroid Build Coastguard Worker 619*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_AUX parses up to |length| bytes from |*inp| as a DER-encoded X.509 620*8fb009dcSAndroid Build Coastguard Worker // Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific 621*8fb009dcSAndroid Build Coastguard Worker // structure with auxiliary properties. It behaves as described in |d2i_SAMPLE|. 622*8fb009dcSAndroid Build Coastguard Worker // 623*8fb009dcSAndroid Build Coastguard Worker // WARNING: Passing untrusted input to this function allows an attacker to 624*8fb009dcSAndroid Build Coastguard Worker // control auxiliary properties. This can allow unexpected influence over the 625*8fb009dcSAndroid Build Coastguard Worker // application if the certificate is used in a context that reads auxiliary 626*8fb009dcSAndroid Build Coastguard Worker // properties. This includes PKCS#12 serialization, trusted certificates in 627*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE|, and callers of |X509_alias_get0| or |X509_keyid_get0|. 628*8fb009dcSAndroid Build Coastguard Worker // 629*8fb009dcSAndroid Build Coastguard Worker // Unlike similarly-named functions, this function does not parse a single 630*8fb009dcSAndroid Build Coastguard Worker // ASN.1 element. Trying to parse data directly embedded in a larger ASN.1 631*8fb009dcSAndroid Build Coastguard Worker // structure will not behave correctly. 632*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const uint8_t **inp, 633*8fb009dcSAndroid Build Coastguard Worker long length); 634*8fb009dcSAndroid Build Coastguard Worker 635*8fb009dcSAndroid Build Coastguard Worker // X509_alias_set1 sets |x509|'s alias to |len| bytes from |name|. If |name| is 636*8fb009dcSAndroid Build Coastguard Worker // NULL, the alias is cleared instead. Aliases are not part of the certificate 637*8fb009dcSAndroid Build Coastguard Worker // itself and will not be serialized by |i2d_X509|. If |x509| is serialized in 638*8fb009dcSAndroid Build Coastguard Worker // a PKCS#12 structure, the friendlyName attribute (RFC 2985) will contain this 639*8fb009dcSAndroid Build Coastguard Worker // alias. 640*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const uint8_t *name, 641*8fb009dcSAndroid Build Coastguard Worker ossl_ssize_t len); 642*8fb009dcSAndroid Build Coastguard Worker 643*8fb009dcSAndroid Build Coastguard Worker // X509_keyid_set1 sets |x509|'s key ID to |len| bytes from |id|. If |id| is 644*8fb009dcSAndroid Build Coastguard Worker // NULL, the key ID is cleared instead. Key IDs are not part of the certificate 645*8fb009dcSAndroid Build Coastguard Worker // itself and will not be serialized by |i2d_X509|. 646*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const uint8_t *id, 647*8fb009dcSAndroid Build Coastguard Worker ossl_ssize_t len); 648*8fb009dcSAndroid Build Coastguard Worker 649*8fb009dcSAndroid Build Coastguard Worker // X509_alias_get0 looks up |x509|'s alias. If found, it sets |*out_len| to the 650*8fb009dcSAndroid Build Coastguard Worker // alias's length and returns a pointer to a buffer containing the contents. If 651*8fb009dcSAndroid Build Coastguard Worker // not found, it outputs the empty string by returning NULL and setting 652*8fb009dcSAndroid Build Coastguard Worker // |*out_len| to zero. 653*8fb009dcSAndroid Build Coastguard Worker // 654*8fb009dcSAndroid Build Coastguard Worker // If |x509| was parsed from a PKCS#12 structure (see 655*8fb009dcSAndroid Build Coastguard Worker // |PKCS12_get_key_and_certs|), the alias will reflect the friendlyName 656*8fb009dcSAndroid Build Coastguard Worker // attribute (RFC 2985). 657*8fb009dcSAndroid Build Coastguard Worker // 658*8fb009dcSAndroid Build Coastguard Worker // WARNING: In OpenSSL, this function did not set |*out_len| when the alias was 659*8fb009dcSAndroid Build Coastguard Worker // missing. Callers that target both OpenSSL and BoringSSL should set the value 660*8fb009dcSAndroid Build Coastguard Worker // to zero before calling this function. 661*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const uint8_t *X509_alias_get0(const X509 *x509, int *out_len); 662*8fb009dcSAndroid Build Coastguard Worker 663*8fb009dcSAndroid Build Coastguard Worker // X509_keyid_get0 looks up |x509|'s key ID. If found, it sets |*out_len| to the 664*8fb009dcSAndroid Build Coastguard Worker // key ID's length and returns a pointer to a buffer containing the contents. If 665*8fb009dcSAndroid Build Coastguard Worker // not found, it outputs the empty string by returning NULL and setting 666*8fb009dcSAndroid Build Coastguard Worker // |*out_len| to zero. 667*8fb009dcSAndroid Build Coastguard Worker // 668*8fb009dcSAndroid Build Coastguard Worker // WARNING: In OpenSSL, this function did not set |*out_len| when the alias was 669*8fb009dcSAndroid Build Coastguard Worker // missing. Callers that target both OpenSSL and BoringSSL should set the value 670*8fb009dcSAndroid Build Coastguard Worker // to zero before calling this function. 671*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const uint8_t *X509_keyid_get0(const X509 *x509, int *out_len); 672*8fb009dcSAndroid Build Coastguard Worker 673*8fb009dcSAndroid Build Coastguard Worker // X509_add1_trust_object configures |x509| as a valid trust anchor for |obj|. 674*8fb009dcSAndroid Build Coastguard Worker // It returns one on success and zero on error. |obj| should be a certificate 675*8fb009dcSAndroid Build Coastguard Worker // usage OID associated with an |X509_TRUST_*| constant. 676*8fb009dcSAndroid Build Coastguard Worker // 677*8fb009dcSAndroid Build Coastguard Worker // See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated. 678*8fb009dcSAndroid Build Coastguard Worker // Note this only takes effect if |x509| was configured as a trusted certificate 679*8fb009dcSAndroid Build Coastguard Worker // via |X509_STORE|. 680*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_add1_trust_object(X509 *x509, const ASN1_OBJECT *obj); 681*8fb009dcSAndroid Build Coastguard Worker 682*8fb009dcSAndroid Build Coastguard Worker // X509_add1_reject_object configures |x509| as distrusted for |obj|. It returns 683*8fb009dcSAndroid Build Coastguard Worker // one on success and zero on error. |obj| should be a certificate usage OID 684*8fb009dcSAndroid Build Coastguard Worker // associated with an |X509_TRUST_*| constant. 685*8fb009dcSAndroid Build Coastguard Worker // 686*8fb009dcSAndroid Build Coastguard Worker // See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated. 687*8fb009dcSAndroid Build Coastguard Worker // Note this only takes effect if |x509| was configured as a trusted certificate 688*8fb009dcSAndroid Build Coastguard Worker // via |X509_STORE|. 689*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_add1_reject_object(X509 *x509, const ASN1_OBJECT *obj); 690*8fb009dcSAndroid Build Coastguard Worker 691*8fb009dcSAndroid Build Coastguard Worker // X509_trust_clear clears the list of OIDs for which |x509| is trusted. See 692*8fb009dcSAndroid Build Coastguard Worker // also |X509_add1_trust_object|. 693*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_trust_clear(X509 *x509); 694*8fb009dcSAndroid Build Coastguard Worker 695*8fb009dcSAndroid Build Coastguard Worker // X509_reject_clear clears the list of OIDs for which |x509| is distrusted. See 696*8fb009dcSAndroid Build Coastguard Worker // also |X509_add1_reject_object|. 697*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_reject_clear(X509 *x509); 698*8fb009dcSAndroid Build Coastguard Worker 699*8fb009dcSAndroid Build Coastguard Worker 700*8fb009dcSAndroid Build Coastguard Worker // Certificate revocation lists. 701*8fb009dcSAndroid Build Coastguard Worker // 702*8fb009dcSAndroid Build Coastguard Worker // An |X509_CRL| object represents an X.509 certificate revocation list (CRL), 703*8fb009dcSAndroid Build Coastguard Worker // defined in RFC 5280. A CRL is a signed list of certificates, the 704*8fb009dcSAndroid Build Coastguard Worker // revokedCertificates field, which are no longer considered valid. Each entry 705*8fb009dcSAndroid Build Coastguard Worker // of this list is represented with an |X509_REVOKED| object, documented in the 706*8fb009dcSAndroid Build Coastguard Worker // "CRL entries" section below. 707*8fb009dcSAndroid Build Coastguard Worker // 708*8fb009dcSAndroid Build Coastguard Worker // Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| or its 709*8fb009dcSAndroid Build Coastguard Worker // |X509_REVOKED|s can give incorrect results. Callers typically obtain 710*8fb009dcSAndroid Build Coastguard Worker // |X509_CRL|s by parsing some input with |d2i_X509_CRL|, etc. Such objects 711*8fb009dcSAndroid Build Coastguard Worker // carry information such as the serialized TBSCertList and decoded extensions, 712*8fb009dcSAndroid Build Coastguard Worker // which will become inconsistent when mutated. 713*8fb009dcSAndroid Build Coastguard Worker // 714*8fb009dcSAndroid Build Coastguard Worker // Instead, mutation functions should only be used when issuing new CRLs, as 715*8fb009dcSAndroid Build Coastguard Worker // described in a later section. 716*8fb009dcSAndroid Build Coastguard Worker 717*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(X509_CRL) 718*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(X509_REVOKED) 719*8fb009dcSAndroid Build Coastguard Worker 720*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_up_ref adds one to the reference count of |crl| and returns one. 721*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl); 722*8fb009dcSAndroid Build Coastguard Worker 723*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_dup returns a newly-allocated copy of |crl|, or NULL on error. This 724*8fb009dcSAndroid Build Coastguard Worker // function works by serializing the structure, so if |crl| is incomplete, it 725*8fb009dcSAndroid Build Coastguard Worker // may fail. 726*8fb009dcSAndroid Build Coastguard Worker // 727*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 728*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |crl| was 729*8fb009dcSAndroid Build Coastguard Worker // mutated. 730*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_CRL *X509_CRL_dup(X509_CRL *crl); 731*8fb009dcSAndroid Build Coastguard Worker 732*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_free decrements |crl|'s reference count and, if zero, releases 733*8fb009dcSAndroid Build Coastguard Worker // memory associated with |crl|. 734*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_CRL_free(X509_CRL *crl); 735*8fb009dcSAndroid Build Coastguard Worker 736*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_CRL parses up to |len| bytes from |*inp| as a DER-encoded X.509 737*8fb009dcSAndroid Build Coastguard Worker // CertificateList (RFC 5280), as described in |d2i_SAMPLE|. 738*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_CRL *d2i_X509_CRL(X509_CRL **out, const uint8_t **inp, 739*8fb009dcSAndroid Build Coastguard Worker long len); 740*8fb009dcSAndroid Build Coastguard Worker 741*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_CRL marshals |crl| as a X.509 CertificateList (RFC 5280), as 742*8fb009dcSAndroid Build Coastguard Worker // described in |i2d_SAMPLE|. 743*8fb009dcSAndroid Build Coastguard Worker // 744*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 745*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |crl| was 746*8fb009dcSAndroid Build Coastguard Worker // mutated. 747*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_CRL(X509_CRL *crl, uint8_t **outp); 748*8fb009dcSAndroid Build Coastguard Worker 749*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_match compares |a| and |b| and returns zero if they are equal, a 750*8fb009dcSAndroid Build Coastguard Worker // negative number if |b| sorts after |a| and a negative number if |a| sorts 751*8fb009dcSAndroid Build Coastguard Worker // after |b|. The sort order implemented by this function is arbitrary and does 752*8fb009dcSAndroid Build Coastguard Worker // not reflect properties of the CRL such as expiry. Applications should not 753*8fb009dcSAndroid Build Coastguard Worker // rely on the order itself. 754*8fb009dcSAndroid Build Coastguard Worker // 755*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/355): This function works by comparing a 756*8fb009dcSAndroid Build Coastguard Worker // cached hash of the encoded CRL. This cached hash is computed when the CRL is 757*8fb009dcSAndroid Build Coastguard Worker // parsed, but not when mutating or issuing CRLs. This function should only be 758*8fb009dcSAndroid Build Coastguard Worker // used with |X509_CRL| objects that were parsed from bytes and never mutated. 759*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); 760*8fb009dcSAndroid Build Coastguard Worker 761*8fb009dcSAndroid Build Coastguard Worker #define X509_CRL_VERSION_1 0 762*8fb009dcSAndroid Build Coastguard Worker #define X509_CRL_VERSION_2 1 763*8fb009dcSAndroid Build Coastguard Worker 764*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_version returns the numerical value of |crl|'s version, which 765*8fb009dcSAndroid Build Coastguard Worker // will be one of the |X509_CRL_VERSION_*| constants. 766*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl); 767*8fb009dcSAndroid Build Coastguard Worker 768*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get0_lastUpdate returns |crl|'s thisUpdate time. The OpenSSL API 769*8fb009dcSAndroid Build Coastguard Worker // refers to this field as lastUpdate. 770*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); 771*8fb009dcSAndroid Build Coastguard Worker 772*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get0_nextUpdate returns |crl|'s nextUpdate time, or NULL if |crl| 773*8fb009dcSAndroid Build Coastguard Worker // has none. 774*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); 775*8fb009dcSAndroid Build Coastguard Worker 776*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_issuer returns |crl|'s issuer name. Note this function is not 777*8fb009dcSAndroid Build Coastguard Worker // const-correct for legacy reasons. 778*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); 779*8fb009dcSAndroid Build Coastguard Worker 780*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get0_by_serial finds the entry in |crl| whose serial number is 781*8fb009dcSAndroid Build Coastguard Worker // |serial|. If found, it sets |*out| to the entry and returns one. If not 782*8fb009dcSAndroid Build Coastguard Worker // found, it returns zero. 783*8fb009dcSAndroid Build Coastguard Worker // 784*8fb009dcSAndroid Build Coastguard Worker // On success, |*out| continues to be owned by |crl|. It is an error to free or 785*8fb009dcSAndroid Build Coastguard Worker // otherwise modify |*out|. 786*8fb009dcSAndroid Build Coastguard Worker // 787*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/600): Ideally |crl| would be const. It is broadly 788*8fb009dcSAndroid Build Coastguard Worker // thread-safe, but changes the order of entries in |crl|. It cannot be called 789*8fb009dcSAndroid Build Coastguard Worker // concurrently with |i2d_X509_CRL|. 790*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **out, 791*8fb009dcSAndroid Build Coastguard Worker const ASN1_INTEGER *serial); 792*8fb009dcSAndroid Build Coastguard Worker 793*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get0_by_cert behaves like |X509_CRL_get0_by_serial|, except it looks 794*8fb009dcSAndroid Build Coastguard Worker // for the entry that matches |x509|. 795*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **out, 796*8fb009dcSAndroid Build Coastguard Worker X509 *x509); 797*8fb009dcSAndroid Build Coastguard Worker 798*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or 799*8fb009dcSAndroid Build Coastguard Worker // NULL if |crl| omits it. 800*8fb009dcSAndroid Build Coastguard Worker // 801*8fb009dcSAndroid Build Coastguard Worker // TOOD(davidben): This function was originally a macro, without clear const 802*8fb009dcSAndroid Build Coastguard Worker // semantics. It should take a const input and give const output, but the latter 803*8fb009dcSAndroid Build Coastguard Worker // would break existing callers. For now, we match upstream. 804*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); 805*8fb009dcSAndroid Build Coastguard Worker 806*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl| 807*8fb009dcSAndroid Build Coastguard Worker // omits it. A CRL can have extensions on individual entries, which is 808*8fb009dcSAndroid Build Coastguard Worker // |X509_REVOKED_get0_extensions|, or on the overall CRL, which is this 809*8fb009dcSAndroid Build Coastguard Worker // function. 810*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions( 811*8fb009dcSAndroid Build Coastguard Worker const X509_CRL *crl); 812*8fb009dcSAndroid Build Coastguard Worker 813*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_ext_count returns the number of extensions in |x|. 814*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_get_ext_count(const X509_CRL *x); 815*8fb009dcSAndroid Build Coastguard Worker 816*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for 817*8fb009dcSAndroid Build Coastguard Worker // extensions in |x|. 818*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, 819*8fb009dcSAndroid Build Coastguard Worker int lastpos); 820*8fb009dcSAndroid Build Coastguard Worker 821*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for 822*8fb009dcSAndroid Build Coastguard Worker // extensions in |x|. 823*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, 824*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj, int lastpos); 825*8fb009dcSAndroid Build Coastguard Worker 826*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but 827*8fb009dcSAndroid Build Coastguard Worker // searches for extensions in |x|. 828*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, 829*8fb009dcSAndroid Build Coastguard Worker int lastpos); 830*8fb009dcSAndroid Build Coastguard Worker 831*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_ext returns the extension in |x| at index |loc|, or NULL if 832*8fb009dcSAndroid Build Coastguard Worker // |loc| is out of bounds. This function returns a non-const pointer for OpenSSL 833*8fb009dcSAndroid Build Coastguard Worker // compatibility, but callers should not mutate the result. 834*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); 835*8fb009dcSAndroid Build Coastguard Worker 836*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the 837*8fb009dcSAndroid Build Coastguard Worker // extension in |crl|'s extension list. 838*8fb009dcSAndroid Build Coastguard Worker // 839*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function is difficult to use correctly. See the documentation 840*8fb009dcSAndroid Build Coastguard Worker // for |X509V3_get_d2i| for details. 841*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, 842*8fb009dcSAndroid Build Coastguard Worker int *out_critical, int *out_idx); 843*8fb009dcSAndroid Build Coastguard Worker 844*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and 845*8fb009dcSAndroid Build Coastguard Worker // signature algorithm of |crl|, respectively. Either output pointer may be NULL 846*8fb009dcSAndroid Build Coastguard Worker // to ignore the value. 847*8fb009dcSAndroid Build Coastguard Worker // 848*8fb009dcSAndroid Build Coastguard Worker // This function outputs the outer signature algorithm, not the one in the 849*8fb009dcSAndroid Build Coastguard Worker // TBSCertList. CRLs with mismatched signature algorithms will successfully 850*8fb009dcSAndroid Build Coastguard Worker // parse, but they will be rejected when verifying. 851*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl, 852*8fb009dcSAndroid Build Coastguard Worker const ASN1_BIT_STRING **out_sig, 853*8fb009dcSAndroid Build Coastguard Worker const X509_ALGOR **out_alg); 854*8fb009dcSAndroid Build Coastguard Worker 855*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_signature_nid returns the NID corresponding to |crl|'s signature 856*8fb009dcSAndroid Build Coastguard Worker // algorithm, or |NID_undef| if the signature algorithm does not correspond to 857*8fb009dcSAndroid Build Coastguard Worker // a known NID. 858*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl); 859*8fb009dcSAndroid Build Coastguard Worker 860*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described in 861*8fb009dcSAndroid Build Coastguard Worker // |i2d_SAMPLE|. 862*8fb009dcSAndroid Build Coastguard Worker // 863*8fb009dcSAndroid Build Coastguard Worker // This function preserves the original encoding of the TBSCertList and may not 864*8fb009dcSAndroid Build Coastguard Worker // reflect modifications made to |crl|. It may be used to manually verify the 865*8fb009dcSAndroid Build Coastguard Worker // signature of an existing CRL. To generate CRLs, use |i2d_re_X509_CRL_tbs| 866*8fb009dcSAndroid Build Coastguard Worker // instead. 867*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp); 868*8fb009dcSAndroid Build Coastguard Worker 869*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_verify checks that |crl| has a valid signature by |pkey|. It returns 870*8fb009dcSAndroid Build Coastguard Worker // one if the signature is valid and zero otherwise. 871*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey); 872*8fb009dcSAndroid Build Coastguard Worker 873*8fb009dcSAndroid Build Coastguard Worker 874*8fb009dcSAndroid Build Coastguard Worker // Issuing certificate revocation lists. 875*8fb009dcSAndroid Build Coastguard Worker // 876*8fb009dcSAndroid Build Coastguard Worker // An |X509_CRL| object may also represent an incomplete CRL. Callers may 877*8fb009dcSAndroid Build Coastguard Worker // construct empty |X509_CRL| objects, fill in fields individually, and finally 878*8fb009dcSAndroid Build Coastguard Worker // sign the result. The following functions may be used for this purpose. 879*8fb009dcSAndroid Build Coastguard Worker 880*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_new returns a newly-allocated, empty |X509_CRL| object, or NULL on 881*8fb009dcSAndroid Build Coastguard Worker // error. This object may be filled in and then signed to construct a CRL. 882*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_CRL *X509_CRL_new(void); 883*8fb009dcSAndroid Build Coastguard Worker 884*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_set_version sets |crl|'s version to |version|, which should be one 885*8fb009dcSAndroid Build Coastguard Worker // of the |X509_CRL_VERSION_*| constants. It returns one on success and zero on 886*8fb009dcSAndroid Build Coastguard Worker // error. 887*8fb009dcSAndroid Build Coastguard Worker // 888*8fb009dcSAndroid Build Coastguard Worker // If unsure, use |X509_CRL_VERSION_2|. Note that, unlike certificates, CRL 889*8fb009dcSAndroid Build Coastguard Worker // versions are only defined up to v2. Callers should not use |X509_VERSION_3|. 890*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_set_version(X509_CRL *crl, long version); 891*8fb009dcSAndroid Build Coastguard Worker 892*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_set_issuer_name sets |crl|'s issuer to a copy of |name|. It returns 893*8fb009dcSAndroid Build Coastguard Worker // one on success and zero on error. 894*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_set_issuer_name(X509_CRL *crl, X509_NAME *name); 895*8fb009dcSAndroid Build Coastguard Worker 896*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_set1_lastUpdate sets |crl|'s thisUpdate time to |tm|. It returns one 897*8fb009dcSAndroid Build Coastguard Worker // on success and zero on error. The OpenSSL API refers to this field as 898*8fb009dcSAndroid Build Coastguard Worker // lastUpdate. 899*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm); 900*8fb009dcSAndroid Build Coastguard Worker 901*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_set1_nextUpdate sets |crl|'s nextUpdate time to |tm|. It returns one 902*8fb009dcSAndroid Build Coastguard Worker // on success and zero on error. 903*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm); 904*8fb009dcSAndroid Build Coastguard Worker 905*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_add0_revoked adds |rev| to |crl|. On success, it takes ownership of 906*8fb009dcSAndroid Build Coastguard Worker // |rev| and returns one. On error, it returns zero. If this function fails, the 907*8fb009dcSAndroid Build Coastguard Worker // caller retains ownership of |rev| and must release it when done. 908*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); 909*8fb009dcSAndroid Build Coastguard Worker 910*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_sort sorts the entries in |crl| by serial number. It returns one on 911*8fb009dcSAndroid Build Coastguard Worker // success and zero on error. 912*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl); 913*8fb009dcSAndroid Build Coastguard Worker 914*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns 915*8fb009dcSAndroid Build Coastguard Worker // the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the 916*8fb009dcSAndroid Build Coastguard Worker // caller must release the result with |X509_EXTENSION_free|. 917*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); 918*8fb009dcSAndroid Build Coastguard Worker 919*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_add_ext adds a copy of |ex| to |x|. It returns one on success and 920*8fb009dcSAndroid Build Coastguard Worker // zero on failure. The caller retains ownership of |ex| and can release it 921*8fb009dcSAndroid Build Coastguard Worker // independently of |x|. 922*8fb009dcSAndroid Build Coastguard Worker // 923*8fb009dcSAndroid Build Coastguard Worker // The new extension is inserted at index |loc|, shifting extensions to the 924*8fb009dcSAndroid Build Coastguard Worker // right. If |loc| is -1 or out of bounds, the new extension is appended to the 925*8fb009dcSAndroid Build Coastguard Worker // list. 926*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex, 927*8fb009dcSAndroid Build Coastguard Worker int loc); 928*8fb009dcSAndroid Build Coastguard Worker 929*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension 930*8fb009dcSAndroid Build Coastguard Worker // to |x|'s extension list. 931*8fb009dcSAndroid Build Coastguard Worker // 932*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function may return zero or -1 on error. The caller must also 933*8fb009dcSAndroid Build Coastguard Worker // ensure |value|'s type matches |nid|. See the documentation for 934*8fb009dcSAndroid Build Coastguard Worker // |X509V3_add1_i2d| for details. 935*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, 936*8fb009dcSAndroid Build Coastguard Worker int crit, unsigned long flags); 937*8fb009dcSAndroid Build Coastguard Worker 938*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm 939*8fb009dcSAndroid Build Coastguard Worker // and signature fields. It returns the length of the signature on success and 940*8fb009dcSAndroid Build Coastguard Worker // zero on error. This function uses digest algorithm |md|, or |pkey|'s default 941*8fb009dcSAndroid Build Coastguard Worker // if NULL. Other signing parameters use |pkey|'s defaults. To customize them, 942*8fb009dcSAndroid Build Coastguard Worker // use |X509_CRL_sign_ctx|. 943*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey, 944*8fb009dcSAndroid Build Coastguard Worker const EVP_MD *md); 945*8fb009dcSAndroid Build Coastguard Worker 946*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm 947*8fb009dcSAndroid Build Coastguard Worker // and signature fields. It returns the length of the signature on success and 948*8fb009dcSAndroid Build Coastguard Worker // zero on error. The signature algorithm and parameters come from |ctx|, which 949*8fb009dcSAndroid Build Coastguard Worker // must have been initialized with |EVP_DigestSignInit|. The caller should 950*8fb009dcSAndroid Build Coastguard Worker // configure the corresponding |EVP_PKEY_CTX| before calling this function. 951*8fb009dcSAndroid Build Coastguard Worker // 952*8fb009dcSAndroid Build Coastguard Worker // On success or failure, this function mutates |ctx| and resets it to the empty 953*8fb009dcSAndroid Build Coastguard Worker // state. Caller should not rely on its contents after the function returns. 954*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx); 955*8fb009dcSAndroid Build Coastguard Worker 956*8fb009dcSAndroid Build Coastguard Worker // i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described 957*8fb009dcSAndroid Build Coastguard Worker // in |i2d_SAMPLE|. 958*8fb009dcSAndroid Build Coastguard Worker // 959*8fb009dcSAndroid Build Coastguard Worker // This function re-encodes the TBSCertList and may not reflect |crl|'s original 960*8fb009dcSAndroid Build Coastguard Worker // encoding. It may be used to manually generate a signature for a new CRL. To 961*8fb009dcSAndroid Build Coastguard Worker // verify CRLs, use |i2d_X509_CRL_tbs| instead. 962*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp); 963*8fb009dcSAndroid Build Coastguard Worker 964*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_set1_signature_algo sets |crl|'s signature algorithm to |algo| and 965*8fb009dcSAndroid Build Coastguard Worker // returns one on success or zero on error. It updates both the signature field 966*8fb009dcSAndroid Build Coastguard Worker // of the TBSCertList structure, and the signatureAlgorithm field of the CRL. 967*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_set1_signature_algo(X509_CRL *crl, 968*8fb009dcSAndroid Build Coastguard Worker const X509_ALGOR *algo); 969*8fb009dcSAndroid Build Coastguard Worker 970*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_set1_signature_value sets |crl|'s signature to a copy of the 971*8fb009dcSAndroid Build Coastguard Worker // |sig_len| bytes pointed by |sig|. It returns one on success and zero on 972*8fb009dcSAndroid Build Coastguard Worker // error. 973*8fb009dcSAndroid Build Coastguard Worker // 974*8fb009dcSAndroid Build Coastguard Worker // Due to a specification error, X.509 CRLs store signatures in ASN.1 BIT 975*8fb009dcSAndroid Build Coastguard Worker // STRINGs, but signature algorithms return byte strings rather than bit 976*8fb009dcSAndroid Build Coastguard Worker // strings. This function creates a BIT STRING containing a whole number of 977*8fb009dcSAndroid Build Coastguard Worker // bytes, with the bit order matching the DER encoding. This matches the 978*8fb009dcSAndroid Build Coastguard Worker // encoding used by all X.509 signature algorithms. 979*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl, 980*8fb009dcSAndroid Build Coastguard Worker const uint8_t *sig, 981*8fb009dcSAndroid Build Coastguard Worker size_t sig_len); 982*8fb009dcSAndroid Build Coastguard Worker 983*8fb009dcSAndroid Build Coastguard Worker 984*8fb009dcSAndroid Build Coastguard Worker // CRL entries. 985*8fb009dcSAndroid Build Coastguard Worker // 986*8fb009dcSAndroid Build Coastguard Worker // Each entry of a CRL is represented as an |X509_REVOKED| object, which 987*8fb009dcSAndroid Build Coastguard Worker // describes a revoked certificate by serial number. 988*8fb009dcSAndroid Build Coastguard Worker // 989*8fb009dcSAndroid Build Coastguard Worker // When an |X509_REVOKED| is obtained from an |X509_CRL| object, it is an error 990*8fb009dcSAndroid Build Coastguard Worker // to mutate the object. Doing so may break |X509_CRL|'s and cause the library 991*8fb009dcSAndroid Build Coastguard Worker // to behave incorrectly. 992*8fb009dcSAndroid Build Coastguard Worker 993*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_new returns a newly-allocated, empty |X509_REVOKED| object, or 994*8fb009dcSAndroid Build Coastguard Worker // NULL on allocation error. 995*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_new(void); 996*8fb009dcSAndroid Build Coastguard Worker 997*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_free releases memory associated with |rev|. 998*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_REVOKED_free(X509_REVOKED *rev); 999*8fb009dcSAndroid Build Coastguard Worker 1000*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_REVOKED parses up to |len| bytes from |*inp| as a DER-encoded X.509 1001*8fb009dcSAndroid Build Coastguard Worker // CRL entry, as described in |d2i_SAMPLE|. 1002*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_REVOKED *d2i_X509_REVOKED(X509_REVOKED **out, 1003*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, long len); 1004*8fb009dcSAndroid Build Coastguard Worker 1005*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_REVOKED marshals |alg| as a DER-encoded X.509 CRL entry, as 1006*8fb009dcSAndroid Build Coastguard Worker // described in |i2d_SAMPLE|. 1007*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_REVOKED(const X509_REVOKED *alg, uint8_t **outp); 1008*8fb009dcSAndroid Build Coastguard Worker 1009*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error. 1010*8fb009dcSAndroid Build Coastguard Worker // This function works by serializing the structure, so if |rev| is incomplete, 1011*8fb009dcSAndroid Build Coastguard Worker // it may fail. 1012*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev); 1013*8fb009dcSAndroid Build Coastguard Worker 1014*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_get0_serialNumber returns the serial number of the certificate 1015*8fb009dcSAndroid Build Coastguard Worker // revoked by |revoked|. 1016*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber( 1017*8fb009dcSAndroid Build Coastguard Worker const X509_REVOKED *revoked); 1018*8fb009dcSAndroid Build Coastguard Worker 1019*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It 1020*8fb009dcSAndroid Build Coastguard Worker // returns one on success or zero on error. 1021*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked, 1022*8fb009dcSAndroid Build Coastguard Worker const ASN1_INTEGER *serial); 1023*8fb009dcSAndroid Build Coastguard Worker 1024*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_get0_revocationDate returns the revocation time of the 1025*8fb009dcSAndroid Build Coastguard Worker // certificate revoked by |revoked|. 1026*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate( 1027*8fb009dcSAndroid Build Coastguard Worker const X509_REVOKED *revoked); 1028*8fb009dcSAndroid Build Coastguard Worker 1029*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It 1030*8fb009dcSAndroid Build Coastguard Worker // returns one on success or zero on error. 1031*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked, 1032*8fb009dcSAndroid Build Coastguard Worker const ASN1_TIME *tm); 1033*8fb009dcSAndroid Build Coastguard Worker 1034*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r| 1035*8fb009dcSAndroid Build Coastguard Worker // omits it. A CRL can have extensions on individual entries, which is this 1036*8fb009dcSAndroid Build Coastguard Worker // function, or on the overall CRL, which is |X509_CRL_get0_extensions|. 1037*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions( 1038*8fb009dcSAndroid Build Coastguard Worker const X509_REVOKED *r); 1039*8fb009dcSAndroid Build Coastguard Worker 1040*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_get_ext_count returns the number of extensions in |x|. 1041*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x); 1042*8fb009dcSAndroid Build Coastguard Worker 1043*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches 1044*8fb009dcSAndroid Build Coastguard Worker // for extensions in |x|. 1045*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, 1046*8fb009dcSAndroid Build Coastguard Worker int lastpos); 1047*8fb009dcSAndroid Build Coastguard Worker 1048*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches 1049*8fb009dcSAndroid Build Coastguard Worker // for extensions in |x|. 1050*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, 1051*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj, 1052*8fb009dcSAndroid Build Coastguard Worker int lastpos); 1053*8fb009dcSAndroid Build Coastguard Worker 1054*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| 1055*8fb009dcSAndroid Build Coastguard Worker // but searches for extensions in |x|. 1056*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, 1057*8fb009dcSAndroid Build Coastguard Worker int crit, int lastpos); 1058*8fb009dcSAndroid Build Coastguard Worker 1059*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if 1060*8fb009dcSAndroid Build Coastguard Worker // |loc| is out of bounds. This function returns a non-const pointer for OpenSSL 1061*8fb009dcSAndroid Build Coastguard Worker // compatibility, but callers should not mutate the result. 1062*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, 1063*8fb009dcSAndroid Build Coastguard Worker int loc); 1064*8fb009dcSAndroid Build Coastguard Worker 1065*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and 1066*8fb009dcSAndroid Build Coastguard Worker // returns the removed extension, or NULL if |loc| was out of bounds. If 1067*8fb009dcSAndroid Build Coastguard Worker // non-NULL, the caller must release the result with |X509_EXTENSION_free|. 1068*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, 1069*8fb009dcSAndroid Build Coastguard Worker int loc); 1070*8fb009dcSAndroid Build Coastguard Worker 1071*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success 1072*8fb009dcSAndroid Build Coastguard Worker // and zero on failure. The caller retains ownership of |ex| and can release it 1073*8fb009dcSAndroid Build Coastguard Worker // independently of |x|. 1074*8fb009dcSAndroid Build Coastguard Worker // 1075*8fb009dcSAndroid Build Coastguard Worker // The new extension is inserted at index |loc|, shifting extensions to the 1076*8fb009dcSAndroid Build Coastguard Worker // right. If |loc| is -1 or out of bounds, the new extension is appended to the 1077*8fb009dcSAndroid Build Coastguard Worker // list. 1078*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x, 1079*8fb009dcSAndroid Build Coastguard Worker const X509_EXTENSION *ex, int loc); 1080*8fb009dcSAndroid Build Coastguard Worker 1081*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the 1082*8fb009dcSAndroid Build Coastguard Worker // extension in |revoked|'s extension list. 1083*8fb009dcSAndroid Build Coastguard Worker // 1084*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function is difficult to use correctly. See the documentation 1085*8fb009dcSAndroid Build Coastguard Worker // for |X509V3_get_d2i| for details. 1086*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked, 1087*8fb009dcSAndroid Build Coastguard Worker int nid, int *out_critical, 1088*8fb009dcSAndroid Build Coastguard Worker int *out_idx); 1089*8fb009dcSAndroid Build Coastguard Worker 1090*8fb009dcSAndroid Build Coastguard Worker // X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the 1091*8fb009dcSAndroid Build Coastguard Worker // extension to |x|'s extension list. 1092*8fb009dcSAndroid Build Coastguard Worker // 1093*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function may return zero or -1 on error. The caller must also 1094*8fb009dcSAndroid Build Coastguard Worker // ensure |value|'s type matches |nid|. See the documentation for 1095*8fb009dcSAndroid Build Coastguard Worker // |X509V3_add1_i2d| for details. 1096*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, 1097*8fb009dcSAndroid Build Coastguard Worker void *value, int crit, 1098*8fb009dcSAndroid Build Coastguard Worker unsigned long flags); 1099*8fb009dcSAndroid Build Coastguard Worker 1100*8fb009dcSAndroid Build Coastguard Worker 1101*8fb009dcSAndroid Build Coastguard Worker // Certificate requests. 1102*8fb009dcSAndroid Build Coastguard Worker // 1103*8fb009dcSAndroid Build Coastguard Worker // An |X509_REQ| represents a PKCS #10 certificate request (RFC 2986). These are 1104*8fb009dcSAndroid Build Coastguard Worker // also referred to as certificate signing requests or CSRs. CSRs are a common 1105*8fb009dcSAndroid Build Coastguard Worker // format used to request a certificate from a CA. 1106*8fb009dcSAndroid Build Coastguard Worker // 1107*8fb009dcSAndroid Build Coastguard Worker // Although an |X509_REQ| is a mutable object, mutating an |X509_REQ| can give 1108*8fb009dcSAndroid Build Coastguard Worker // incorrect results. Callers typically obtain |X509_REQ|s by parsing some input 1109*8fb009dcSAndroid Build Coastguard Worker // with |d2i_X509_REQ|, etc. Such objects carry information such as the 1110*8fb009dcSAndroid Build Coastguard Worker // serialized CertificationRequestInfo, which will become inconsistent when 1111*8fb009dcSAndroid Build Coastguard Worker // mutated. 1112*8fb009dcSAndroid Build Coastguard Worker // 1113*8fb009dcSAndroid Build Coastguard Worker // Instead, mutation functions should only be used when issuing new CRLs, as 1114*8fb009dcSAndroid Build Coastguard Worker // described in a later section. 1115*8fb009dcSAndroid Build Coastguard Worker 1116*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_dup returns a newly-allocated copy of |req|, or NULL on error. This 1117*8fb009dcSAndroid Build Coastguard Worker // function works by serializing the structure, so if |req| is incomplete, it 1118*8fb009dcSAndroid Build Coastguard Worker // may fail. 1119*8fb009dcSAndroid Build Coastguard Worker // 1120*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 1121*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |req| was 1122*8fb009dcSAndroid Build Coastguard Worker // mutated. 1123*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_REQ *X509_REQ_dup(X509_REQ *req); 1124*8fb009dcSAndroid Build Coastguard Worker 1125*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_free releases memory associated with |req|. 1126*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_REQ_free(X509_REQ *req); 1127*8fb009dcSAndroid Build Coastguard Worker 1128*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_REQ parses up to |len| bytes from |*inp| as a DER-encoded 1129*8fb009dcSAndroid Build Coastguard Worker // CertificateRequest (RFC 2986), as described in |d2i_SAMPLE|. 1130*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_REQ *d2i_X509_REQ(X509_REQ **out, const uint8_t **inp, 1131*8fb009dcSAndroid Build Coastguard Worker long len); 1132*8fb009dcSAndroid Build Coastguard Worker 1133*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_REQ marshals |req| as a CertificateRequest (RFC 2986), as described 1134*8fb009dcSAndroid Build Coastguard Worker // in |i2d_SAMPLE|. 1135*8fb009dcSAndroid Build Coastguard Worker // 1136*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 1137*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |req| was 1138*8fb009dcSAndroid Build Coastguard Worker // mutated. 1139*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_REQ(X509_REQ *req, uint8_t **outp); 1140*8fb009dcSAndroid Build Coastguard Worker 1141*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. No other 1142*8fb009dcSAndroid Build Coastguard Worker // versions are defined. 1143*8fb009dcSAndroid Build Coastguard Worker #define X509_REQ_VERSION_1 0 1144*8fb009dcSAndroid Build Coastguard Worker 1145*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get_version returns the numerical value of |req|'s version. This 1146*8fb009dcSAndroid Build Coastguard Worker // will always be |X509_REQ_VERSION_1| for valid CSRs. For compatibility, 1147*8fb009dcSAndroid Build Coastguard Worker // |d2i_X509_REQ| also accepts some invalid version numbers, in which case this 1148*8fb009dcSAndroid Build Coastguard Worker // function may return other values. 1149*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req); 1150*8fb009dcSAndroid Build Coastguard Worker 1151*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get_subject_name returns |req|'s subject name. Note this function is 1152*8fb009dcSAndroid Build Coastguard Worker // not const-correct for legacy reasons. 1153*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); 1154*8fb009dcSAndroid Build Coastguard Worker 1155*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get0_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if 1156*8fb009dcSAndroid Build Coastguard Worker // the public key was unsupported or could not be decoded. The |EVP_PKEY| is 1157*8fb009dcSAndroid Build Coastguard Worker // cached in |req|, so callers must not mutate the result. 1158*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req); 1159*8fb009dcSAndroid Build Coastguard Worker 1160*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get_pubkey behaves like |X509_REQ_get0_pubkey| but increments the 1161*8fb009dcSAndroid Build Coastguard Worker // reference count on the |EVP_PKEY|. The caller must release the result with 1162*8fb009dcSAndroid Build Coastguard Worker // |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |req|, so callers must 1163*8fb009dcSAndroid Build Coastguard Worker // not mutate the result. 1164*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(const X509_REQ *req); 1165*8fb009dcSAndroid Build Coastguard Worker 1166*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_check_private_key returns one if |req|'s public key matches |pkey| 1167*8fb009dcSAndroid Build Coastguard Worker // and zero otherwise. 1168*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_check_private_key(const X509_REQ *req, 1169*8fb009dcSAndroid Build Coastguard Worker const EVP_PKEY *pkey); 1170*8fb009dcSAndroid Build Coastguard Worker 1171*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get_attr_count returns the number of attributes in |req|. 1172*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req); 1173*8fb009dcSAndroid Build Coastguard Worker 1174*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get_attr returns the attribute at index |loc| in |req|, or NULL if 1175*8fb009dcSAndroid Build Coastguard Worker // out of bounds. 1176*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc); 1177*8fb009dcSAndroid Build Coastguard Worker 1178*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get_attr_by_NID returns the index of the attribute in |req| of type 1179*8fb009dcSAndroid Build Coastguard Worker // |nid|, or a negative number if not found. If found, callers can use 1180*8fb009dcSAndroid Build Coastguard Worker // |X509_REQ_get_attr| to look up the attribute by index. 1181*8fb009dcSAndroid Build Coastguard Worker // 1182*8fb009dcSAndroid Build Coastguard Worker // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1183*8fb009dcSAndroid Build Coastguard Worker // can thus loop over all matching attributes by first passing -1 and then 1184*8fb009dcSAndroid Build Coastguard Worker // passing the previously-returned value until no match is returned. 1185*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, 1186*8fb009dcSAndroid Build Coastguard Worker int lastpos); 1187*8fb009dcSAndroid Build Coastguard Worker 1188*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get_attr_by_OBJ behaves like |X509_REQ_get_attr_by_NID| but looks 1189*8fb009dcSAndroid Build Coastguard Worker // for attributes of type |obj|. 1190*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, 1191*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj, 1192*8fb009dcSAndroid Build Coastguard Worker int lastpos); 1193*8fb009dcSAndroid Build Coastguard Worker 1194*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type 1195*8fb009dcSAndroid Build Coastguard Worker // for carrying extensions and zero otherwise. The supported types are 1196*8fb009dcSAndroid Build Coastguard Worker // |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req| 1197*8fb009dcSAndroid Build Coastguard Worker // (a Microsoft szOID_CERT_EXTENSIONS variant). 1198*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); 1199*8fb009dcSAndroid Build Coastguard Worker 1200*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get_extensions decodes the most preferred list of requested 1201*8fb009dcSAndroid Build Coastguard Worker // extensions in |req| and returns a newly-allocated |STACK_OF(X509_EXTENSION)| 1202*8fb009dcSAndroid Build Coastguard Worker // containing the result. It returns NULL on error, or if |req| did not request 1203*8fb009dcSAndroid Build Coastguard Worker // extensions. 1204*8fb009dcSAndroid Build Coastguard Worker // 1205*8fb009dcSAndroid Build Coastguard Worker // CSRs do not store extensions directly. Instead there are attribute types 1206*8fb009dcSAndroid Build Coastguard Worker // which are defined to hold extensions. See |X509_REQ_extension_nid|. This 1207*8fb009dcSAndroid Build Coastguard Worker // function supports both pkcs-9-at-extensionRequest from RFC 2985 and the 1208*8fb009dcSAndroid Build Coastguard Worker // Microsoft szOID_CERT_EXTENSIONS variant. If both are present, 1209*8fb009dcSAndroid Build Coastguard Worker // pkcs-9-at-extensionRequest is preferred. 1210*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions( 1211*8fb009dcSAndroid Build Coastguard Worker const X509_REQ *req); 1212*8fb009dcSAndroid Build Coastguard Worker 1213*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and 1214*8fb009dcSAndroid Build Coastguard Worker // signature algorithm of |req|, respectively. Either output pointer may be NULL 1215*8fb009dcSAndroid Build Coastguard Worker // to ignore the value. 1216*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req, 1217*8fb009dcSAndroid Build Coastguard Worker const ASN1_BIT_STRING **out_sig, 1218*8fb009dcSAndroid Build Coastguard Worker const X509_ALGOR **out_alg); 1219*8fb009dcSAndroid Build Coastguard Worker 1220*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get_signature_nid returns the NID corresponding to |req|'s signature 1221*8fb009dcSAndroid Build Coastguard Worker // algorithm, or |NID_undef| if the signature algorithm does not correspond to 1222*8fb009dcSAndroid Build Coastguard Worker // a known NID. 1223*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req); 1224*8fb009dcSAndroid Build Coastguard Worker 1225*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_verify checks that |req| has a valid signature by |pkey|. It returns 1226*8fb009dcSAndroid Build Coastguard Worker // one if the signature is valid and zero otherwise. 1227*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey); 1228*8fb009dcSAndroid Build Coastguard Worker 1229*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_get1_email returns a newly-allocated list of NUL-terminated strings 1230*8fb009dcSAndroid Build Coastguard Worker // containing all email addresses in |req|'s subject and all rfc822name names 1231*8fb009dcSAndroid Build Coastguard Worker // in |req|'s subject alternative names. The subject alternative names extension 1232*8fb009dcSAndroid Build Coastguard Worker // is extracted from the result of |X509_REQ_get_extensions|. Email addresses 1233*8fb009dcSAndroid Build Coastguard Worker // which contain embedded NUL bytes are skipped. 1234*8fb009dcSAndroid Build Coastguard Worker // 1235*8fb009dcSAndroid Build Coastguard Worker // On error, or if there are no such email addresses, it returns NULL. When 1236*8fb009dcSAndroid Build Coastguard Worker // done, the caller must release the result with |X509_email_free|. 1237*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email( 1238*8fb009dcSAndroid Build Coastguard Worker const X509_REQ *req); 1239*8fb009dcSAndroid Build Coastguard Worker 1240*8fb009dcSAndroid Build Coastguard Worker 1241*8fb009dcSAndroid Build Coastguard Worker // Issuing certificate requests. 1242*8fb009dcSAndroid Build Coastguard Worker // 1243*8fb009dcSAndroid Build Coastguard Worker // An |X509_REQ| object may also represent an incomplete CSR. Callers may 1244*8fb009dcSAndroid Build Coastguard Worker // construct empty |X509_REQ| objects, fill in fields individually, and finally 1245*8fb009dcSAndroid Build Coastguard Worker // sign the result. The following functions may be used for this purpose. 1246*8fb009dcSAndroid Build Coastguard Worker 1247*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_new returns a newly-allocated, empty |X509_REQ| object, or NULL on 1248*8fb009dcSAndroid Build Coastguard Worker // error. This object may be filled in and then signed to construct a CSR. 1249*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_REQ *X509_REQ_new(void); 1250*8fb009dcSAndroid Build Coastguard Worker 1251*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_set_version sets |req|'s version to |version|, which should be 1252*8fb009dcSAndroid Build Coastguard Worker // |X509_REQ_VERSION_1|. It returns one on success and zero on error. 1253*8fb009dcSAndroid Build Coastguard Worker // 1254*8fb009dcSAndroid Build Coastguard Worker // The only defined CSR version is |X509_REQ_VERSION_1|, so there is no need to 1255*8fb009dcSAndroid Build Coastguard Worker // call this function. 1256*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version); 1257*8fb009dcSAndroid Build Coastguard Worker 1258*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It 1259*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. 1260*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name); 1261*8fb009dcSAndroid Build Coastguard Worker 1262*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_set_pubkey sets |req|'s public key to |pkey|. It returns one on 1263*8fb009dcSAndroid Build Coastguard Worker // success and zero on error. This function does not take ownership of |pkey| 1264*8fb009dcSAndroid Build Coastguard Worker // and internally copies and updates reference counts as needed. 1265*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey); 1266*8fb009dcSAndroid Build Coastguard Worker 1267*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_delete_attr removes the attribute at index |loc| in |req|. It 1268*8fb009dcSAndroid Build Coastguard Worker // returns the removed attribute to the caller, or NULL if |loc| was out of 1269*8fb009dcSAndroid Build Coastguard Worker // bounds. If non-NULL, the caller must release the result with 1270*8fb009dcSAndroid Build Coastguard Worker // |X509_ATTRIBUTE_free| when done. It is also safe, but not necessary, to call 1271*8fb009dcSAndroid Build Coastguard Worker // |X509_ATTRIBUTE_free| if the result is NULL. 1272*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc); 1273*8fb009dcSAndroid Build Coastguard Worker 1274*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_add1_attr appends a copy of |attr| to |req|'s list of attributes. It 1275*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. 1276*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req, 1277*8fb009dcSAndroid Build Coastguard Worker const X509_ATTRIBUTE *attr); 1278*8fb009dcSAndroid Build Coastguard Worker 1279*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_add1_attr_by_OBJ appends a new attribute to |req| with type |obj|. 1280*8fb009dcSAndroid Build Coastguard Worker // It returns one on success and zero on error. The value is determined by 1281*8fb009dcSAndroid Build Coastguard Worker // |X509_ATTRIBUTE_set1_data|. 1282*8fb009dcSAndroid Build Coastguard Worker // 1283*8fb009dcSAndroid Build Coastguard Worker // WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and 1284*8fb009dcSAndroid Build Coastguard Worker // error-prone. See |X509_ATTRIBUTE_set1_data| for details. 1285*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, 1286*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj, 1287*8fb009dcSAndroid Build Coastguard Worker int attrtype, 1288*8fb009dcSAndroid Build Coastguard Worker const unsigned char *data, 1289*8fb009dcSAndroid Build Coastguard Worker int len); 1290*8fb009dcSAndroid Build Coastguard Worker 1291*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the 1292*8fb009dcSAndroid Build Coastguard Worker // attribute type is determined by |nid|. 1293*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, 1294*8fb009dcSAndroid Build Coastguard Worker int attrtype, 1295*8fb009dcSAndroid Build Coastguard Worker const unsigned char *data, 1296*8fb009dcSAndroid Build Coastguard Worker int len); 1297*8fb009dcSAndroid Build Coastguard Worker 1298*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the 1299*8fb009dcSAndroid Build Coastguard Worker // attribute type is determined by calling |OBJ_txt2obj| with |attrname|. 1300*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req, 1301*8fb009dcSAndroid Build Coastguard Worker const char *attrname, int attrtype, 1302*8fb009dcSAndroid Build Coastguard Worker const unsigned char *data, 1303*8fb009dcSAndroid Build Coastguard Worker int len); 1304*8fb009dcSAndroid Build Coastguard Worker 1305*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_add_extensions_nid adds an attribute to |req| of type |nid|, to 1306*8fb009dcSAndroid Build Coastguard Worker // request the certificate extensions in |exts|. It returns one on success and 1307*8fb009dcSAndroid Build Coastguard Worker // zero on error. |nid| should be |NID_ext_req| or |NID_ms_ext_req|. 1308*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_add_extensions_nid( 1309*8fb009dcSAndroid Build Coastguard Worker X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts, int nid); 1310*8fb009dcSAndroid Build Coastguard Worker 1311*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_add_extensions behaves like |X509_REQ_add_extensions_nid|, using the 1312*8fb009dcSAndroid Build Coastguard Worker // standard |NID_ext_req| for the attribute type. 1313*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_add_extensions( 1314*8fb009dcSAndroid Build Coastguard Worker X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts); 1315*8fb009dcSAndroid Build Coastguard Worker 1316*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm 1317*8fb009dcSAndroid Build Coastguard Worker // and signature fields. It returns the length of the signature on success and 1318*8fb009dcSAndroid Build Coastguard Worker // zero on error. This function uses digest algorithm |md|, or |pkey|'s default 1319*8fb009dcSAndroid Build Coastguard Worker // if NULL. Other signing parameters use |pkey|'s defaults. To customize them, 1320*8fb009dcSAndroid Build Coastguard Worker // use |X509_REQ_sign_ctx|. 1321*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey, 1322*8fb009dcSAndroid Build Coastguard Worker const EVP_MD *md); 1323*8fb009dcSAndroid Build Coastguard Worker 1324*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm 1325*8fb009dcSAndroid Build Coastguard Worker // and signature fields. It returns the length of the signature on success and 1326*8fb009dcSAndroid Build Coastguard Worker // zero on error. The signature algorithm and parameters come from |ctx|, which 1327*8fb009dcSAndroid Build Coastguard Worker // must have been initialized with |EVP_DigestSignInit|. The caller should 1328*8fb009dcSAndroid Build Coastguard Worker // configure the corresponding |EVP_PKEY_CTX| before calling this function. 1329*8fb009dcSAndroid Build Coastguard Worker // 1330*8fb009dcSAndroid Build Coastguard Worker // On success or failure, this function mutates |ctx| and resets it to the empty 1331*8fb009dcSAndroid Build Coastguard Worker // state. Caller should not rely on its contents after the function returns. 1332*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx); 1333*8fb009dcSAndroid Build Coastguard Worker 1334*8fb009dcSAndroid Build Coastguard Worker // i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) 1335*8fb009dcSAndroid Build Coastguard Worker // portion of |req|, as described in |i2d_SAMPLE|. 1336*8fb009dcSAndroid Build Coastguard Worker // 1337*8fb009dcSAndroid Build Coastguard Worker // This function re-encodes the CertificationRequestInfo and may not reflect 1338*8fb009dcSAndroid Build Coastguard Worker // |req|'s original encoding. It may be used to manually generate a signature 1339*8fb009dcSAndroid Build Coastguard Worker // for a new certificate request. 1340*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_re_X509_REQ_tbs(X509_REQ *req, uint8_t **outp); 1341*8fb009dcSAndroid Build Coastguard Worker 1342*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_set1_signature_algo sets |req|'s signature algorithm to |algo| and 1343*8fb009dcSAndroid Build Coastguard Worker // returns one on success or zero on error. 1344*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_set1_signature_algo(X509_REQ *req, 1345*8fb009dcSAndroid Build Coastguard Worker const X509_ALGOR *algo); 1346*8fb009dcSAndroid Build Coastguard Worker 1347*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_set1_signature_value sets |req|'s signature to a copy of the 1348*8fb009dcSAndroid Build Coastguard Worker // |sig_len| bytes pointed by |sig|. It returns one on success and zero on 1349*8fb009dcSAndroid Build Coastguard Worker // error. 1350*8fb009dcSAndroid Build Coastguard Worker // 1351*8fb009dcSAndroid Build Coastguard Worker // Due to a specification error, PKCS#10 certificate requests store signatures 1352*8fb009dcSAndroid Build Coastguard Worker // in ASN.1 BIT STRINGs, but signature algorithms return byte strings rather 1353*8fb009dcSAndroid Build Coastguard Worker // than bit strings. This function creates a BIT STRING containing a whole 1354*8fb009dcSAndroid Build Coastguard Worker // number of bytes, with the bit order matching the DER encoding. This matches 1355*8fb009dcSAndroid Build Coastguard Worker // the encoding used by all X.509 signature algorithms. 1356*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_set1_signature_value(X509_REQ *req, 1357*8fb009dcSAndroid Build Coastguard Worker const uint8_t *sig, 1358*8fb009dcSAndroid Build Coastguard Worker size_t sig_len); 1359*8fb009dcSAndroid Build Coastguard Worker 1360*8fb009dcSAndroid Build Coastguard Worker 1361*8fb009dcSAndroid Build Coastguard Worker // Names. 1362*8fb009dcSAndroid Build Coastguard Worker // 1363*8fb009dcSAndroid Build Coastguard Worker // An |X509_NAME| represents an X.509 Name structure (RFC 5280). X.509 names are 1364*8fb009dcSAndroid Build Coastguard Worker // a complex, hierarchical structure over a collection of attributes. Each name 1365*8fb009dcSAndroid Build Coastguard Worker // is sequence of relative distinguished names (RDNs), decreasing in 1366*8fb009dcSAndroid Build Coastguard Worker // specificity. For example, the first RDN may specify the country, while the 1367*8fb009dcSAndroid Build Coastguard Worker // next RDN may specify a locality. Each RDN is, itself, a set of attributes. 1368*8fb009dcSAndroid Build Coastguard Worker // Having more than one attribute in an RDN is uncommon, but possible. Within an 1369*8fb009dcSAndroid Build Coastguard Worker // RDN, attributes have the same level in specificity. Attribute types are 1370*8fb009dcSAndroid Build Coastguard Worker // OBJECT IDENTIFIERs. This determines the ASN.1 type of the value, which is 1371*8fb009dcSAndroid Build Coastguard Worker // commonly a string but may be other types. 1372*8fb009dcSAndroid Build Coastguard Worker // 1373*8fb009dcSAndroid Build Coastguard Worker // The |X509_NAME| representation flattens this two-level structure into a 1374*8fb009dcSAndroid Build Coastguard Worker // single list of attributes. Each attribute is stored in an |X509_NAME_ENTRY|, 1375*8fb009dcSAndroid Build Coastguard Worker // with also maintains the index of the RDN it is part of, accessible via 1376*8fb009dcSAndroid Build Coastguard Worker // |X509_NAME_ENTRY_set|. This can be used to recover the two-level structure. 1377*8fb009dcSAndroid Build Coastguard Worker // 1378*8fb009dcSAndroid Build Coastguard Worker // X.509 names are largely vestigial. Historically, DNS names were parsed out of 1379*8fb009dcSAndroid Build Coastguard Worker // the subject's common name attribute, but this is deprecated and has since 1380*8fb009dcSAndroid Build Coastguard Worker // moved to the subject alternative name extension. In modern usage, X.509 names 1381*8fb009dcSAndroid Build Coastguard Worker // are primarily opaque identifiers to link a certificate with its issuer. 1382*8fb009dcSAndroid Build Coastguard Worker 1383*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(X509_NAME_ENTRY) 1384*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(X509_NAME) 1385*8fb009dcSAndroid Build Coastguard Worker 1386*8fb009dcSAndroid Build Coastguard Worker // X509_NAME is an |ASN1_ITEM| whose ASN.1 type is X.509 Name (RFC 5280) and C 1387*8fb009dcSAndroid Build Coastguard Worker // type is |X509_NAME*|. 1388*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(X509_NAME) 1389*8fb009dcSAndroid Build Coastguard Worker 1390*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_new returns a new, empty |X509_NAME|, or NULL on error. 1391*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME *X509_NAME_new(void); 1392*8fb009dcSAndroid Build Coastguard Worker 1393*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_free releases memory associated with |name|. 1394*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_NAME_free(X509_NAME *name); 1395*8fb009dcSAndroid Build Coastguard Worker 1396*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_NAME parses up to |len| bytes from |*inp| as a DER-encoded X.509 1397*8fb009dcSAndroid Build Coastguard Worker // Name (RFC 5280), as described in |d2i_SAMPLE|. 1398*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME *d2i_X509_NAME(X509_NAME **out, const uint8_t **inp, 1399*8fb009dcSAndroid Build Coastguard Worker long len); 1400*8fb009dcSAndroid Build Coastguard Worker 1401*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_NAME marshals |in| as a DER-encoded X.509 Name (RFC 5280), as 1402*8fb009dcSAndroid Build Coastguard Worker // described in |i2d_SAMPLE|. 1403*8fb009dcSAndroid Build Coastguard Worker // 1404*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 1405*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |in| was 1406*8fb009dcSAndroid Build Coastguard Worker // mutated. 1407*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_NAME(X509_NAME *in, uint8_t **outp); 1408*8fb009dcSAndroid Build Coastguard Worker 1409*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_dup returns a newly-allocated copy of |name|, or NULL on error. 1410*8fb009dcSAndroid Build Coastguard Worker // 1411*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 1412*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |name| was 1413*8fb009dcSAndroid Build Coastguard Worker // mutated. 1414*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME *X509_NAME_dup(X509_NAME *name); 1415*8fb009dcSAndroid Build Coastguard Worker 1416*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_cmp compares |a| and |b|'s canonicalized forms. It returns zero if 1417*8fb009dcSAndroid Build Coastguard Worker // they are equal, one if |a| sorts after |b|, -1 if |b| sorts after |a|, and -2 1418*8fb009dcSAndroid Build Coastguard Worker // on error. 1419*8fb009dcSAndroid Build Coastguard Worker // 1420*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function is const, but it is not 1421*8fb009dcSAndroid Build Coastguard Worker // always thread-safe, notably if |name| was mutated. 1422*8fb009dcSAndroid Build Coastguard Worker // 1423*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/355): The -2 return is very inconvenient to 1424*8fb009dcSAndroid Build Coastguard Worker // pass to a sorting function. Can we make this infallible? In the meantime, 1425*8fb009dcSAndroid Build Coastguard Worker // prefer to use this function only for equality checks rather than comparisons. 1426*8fb009dcSAndroid Build Coastguard Worker // Although even the library itself passes this to a sorting function. 1427*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); 1428*8fb009dcSAndroid Build Coastguard Worker 1429*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_get0_der marshals |name| as a DER-encoded X.509 Name (RFC 5280). On 1430*8fb009dcSAndroid Build Coastguard Worker // success, it returns one and sets |*out_der| and |*out_der_len| to a buffer 1431*8fb009dcSAndroid Build Coastguard Worker // containing the result. Otherwise, it returns zero. |*out_der| is owned by 1432*8fb009dcSAndroid Build Coastguard Worker // |name| and must not be freed by the caller. It is invalidated after |name| is 1433*8fb009dcSAndroid Build Coastguard Worker // mutated or freed. 1434*8fb009dcSAndroid Build Coastguard Worker // 1435*8fb009dcSAndroid Build Coastguard Worker // Avoid this function and prefer |i2d_X509_NAME|. It is one of the reasons 1436*8fb009dcSAndroid Build Coastguard Worker // |X509_NAME| functions, including this one, are not consistently thread-safe 1437*8fb009dcSAndroid Build Coastguard Worker // or const-correct. Depending on the resolution of 1438*8fb009dcSAndroid Build Coastguard Worker // https://crbug.com/boringssl/407, this function may be removed or cause poor 1439*8fb009dcSAndroid Build Coastguard Worker // performance. 1440*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *name, const uint8_t **out_der, 1441*8fb009dcSAndroid Build Coastguard Worker size_t *out_der_len); 1442*8fb009dcSAndroid Build Coastguard Worker 1443*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn| 1444*8fb009dcSAndroid Build Coastguard Worker // to the copy, and returns one. Otherwise, it returns zero. 1445*8fb009dcSAndroid Build Coastguard Worker // 1446*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 1447*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |name| was 1448*8fb009dcSAndroid Build Coastguard Worker // mutated. 1449*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name); 1450*8fb009dcSAndroid Build Coastguard Worker 1451*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_entry_count returns the number of entries in |name|. 1452*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_entry_count(const X509_NAME *name); 1453*8fb009dcSAndroid Build Coastguard Worker 1454*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_get_index_by_NID returns the zero-based index of the first 1455*8fb009dcSAndroid Build Coastguard Worker // attribute in |name| with type |nid|, or -1 if there is none. |nid| should be 1456*8fb009dcSAndroid Build Coastguard Worker // one of the |NID_*| constants. If |lastpos| is non-negative, it begins 1457*8fb009dcSAndroid Build Coastguard Worker // searching at |lastpos+1|. To search all attributes, pass in -1, not zero. 1458*8fb009dcSAndroid Build Coastguard Worker // 1459*8fb009dcSAndroid Build Coastguard Worker // Indices from this function refer to |X509_NAME|'s flattened representation. 1460*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, 1461*8fb009dcSAndroid Build Coastguard Worker int lastpos); 1462*8fb009dcSAndroid Build Coastguard Worker 1463*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_get_index_by_OBJ behaves like |X509_NAME_get_index_by_NID| but 1464*8fb009dcSAndroid Build Coastguard Worker // looks for attributes with type |obj|. 1465*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_get_index_by_OBJ(const X509_NAME *name, 1466*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj, 1467*8fb009dcSAndroid Build Coastguard Worker int lastpos); 1468*8fb009dcSAndroid Build Coastguard Worker 1469*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_get_entry returns the attribute in |name| at index |loc|, or NULL 1470*8fb009dcSAndroid Build Coastguard Worker // if |loc| is out of range. |loc| is interpreted using |X509_NAME|'s flattened 1471*8fb009dcSAndroid Build Coastguard Worker // representation. This function returns a non-const pointer for OpenSSL 1472*8fb009dcSAndroid Build Coastguard Worker // compatibility, but callers should not mutate the result. Doing so will break 1473*8fb009dcSAndroid Build Coastguard Worker // internal invariants in the library. 1474*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, 1475*8fb009dcSAndroid Build Coastguard Worker int loc); 1476*8fb009dcSAndroid Build Coastguard Worker 1477*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_delete_entry removes and returns the attribute in |name| at index 1478*8fb009dcSAndroid Build Coastguard Worker // |loc|, or NULL if |loc| is out of range. |loc| is interpreted using 1479*8fb009dcSAndroid Build Coastguard Worker // |X509_NAME|'s flattened representation. If the attribute is found, the caller 1480*8fb009dcSAndroid Build Coastguard Worker // is responsible for releasing the result with |X509_NAME_ENTRY_free|. 1481*8fb009dcSAndroid Build Coastguard Worker // 1482*8fb009dcSAndroid Build Coastguard Worker // This function will internally update RDN indices (see |X509_NAME_ENTRY_set|) 1483*8fb009dcSAndroid Build Coastguard Worker // so they continue to be consecutive. 1484*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, 1485*8fb009dcSAndroid Build Coastguard Worker int loc); 1486*8fb009dcSAndroid Build Coastguard Worker 1487*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_add_entry adds a copy of |entry| to |name| and returns one on 1488*8fb009dcSAndroid Build Coastguard Worker // success or zero on error. If |loc| is -1, the entry is appended to |name|. 1489*8fb009dcSAndroid Build Coastguard Worker // Otherwise, it is inserted at index |loc|. If |set| is -1, the entry is added 1490*8fb009dcSAndroid Build Coastguard Worker // to the previous entry's RDN. If it is 0, the entry becomes a singleton RDN. 1491*8fb009dcSAndroid Build Coastguard Worker // If 1, it is added to next entry's RDN. 1492*8fb009dcSAndroid Build Coastguard Worker // 1493*8fb009dcSAndroid Build Coastguard Worker // This function will internally update RDN indices (see |X509_NAME_ENTRY_set|) 1494*8fb009dcSAndroid Build Coastguard Worker // so they continue to be consecutive. 1495*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_add_entry(X509_NAME *name, 1496*8fb009dcSAndroid Build Coastguard Worker const X509_NAME_ENTRY *entry, int loc, 1497*8fb009dcSAndroid Build Coastguard Worker int set); 1498*8fb009dcSAndroid Build Coastguard Worker 1499*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_add_entry_by_OBJ adds a new entry to |name| and returns one on 1500*8fb009dcSAndroid Build Coastguard Worker // success or zero on error. The entry's attribute type is |obj|. The entry's 1501*8fb009dcSAndroid Build Coastguard Worker // attribute value is determined by |type|, |bytes|, and |len|, as in 1502*8fb009dcSAndroid Build Coastguard Worker // |X509_NAME_ENTRY_set_data|. The entry's position is determined by |loc| and 1503*8fb009dcSAndroid Build Coastguard Worker // |set| as in |X509_NAME_add_entry|. 1504*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_add_entry_by_OBJ(X509_NAME *name, 1505*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj, int type, 1506*8fb009dcSAndroid Build Coastguard Worker const uint8_t *bytes, 1507*8fb009dcSAndroid Build Coastguard Worker ossl_ssize_t len, int loc, 1508*8fb009dcSAndroid Build Coastguard Worker int set); 1509*8fb009dcSAndroid Build Coastguard Worker 1510*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_add_entry_by_NID behaves like |X509_NAME_add_entry_by_OBJ| but sets 1511*8fb009dcSAndroid Build Coastguard Worker // the entry's attribute type to |nid|, which should be one of the |NID_*| 1512*8fb009dcSAndroid Build Coastguard Worker // constants. 1513*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, 1514*8fb009dcSAndroid Build Coastguard Worker int type, const uint8_t *bytes, 1515*8fb009dcSAndroid Build Coastguard Worker ossl_ssize_t len, int loc, 1516*8fb009dcSAndroid Build Coastguard Worker int set); 1517*8fb009dcSAndroid Build Coastguard Worker 1518*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_add_entry_by_txt behaves like |X509_NAME_add_entry_by_OBJ| but sets 1519*8fb009dcSAndroid Build Coastguard Worker // the entry's attribute type to |field|, which is passed to |OBJ_txt2obj|. 1520*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name, 1521*8fb009dcSAndroid Build Coastguard Worker const char *field, int type, 1522*8fb009dcSAndroid Build Coastguard Worker const uint8_t *bytes, 1523*8fb009dcSAndroid Build Coastguard Worker ossl_ssize_t len, int loc, 1524*8fb009dcSAndroid Build Coastguard Worker int set); 1525*8fb009dcSAndroid Build Coastguard Worker 1526*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_new returns a new, empty |X509_NAME_ENTRY|, or NULL on error. 1527*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_new(void); 1528*8fb009dcSAndroid Build Coastguard Worker 1529*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_free releases memory associated with |entry|. 1530*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_NAME_ENTRY_free(X509_NAME_ENTRY *entry); 1531*8fb009dcSAndroid Build Coastguard Worker 1532*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_dup returns a newly-allocated copy of |entry|, or NULL on 1533*8fb009dcSAndroid Build Coastguard Worker // error. 1534*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup( 1535*8fb009dcSAndroid Build Coastguard Worker const X509_NAME_ENTRY *entry); 1536*8fb009dcSAndroid Build Coastguard Worker 1537*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_get_object returns |entry|'s attribute type. This function 1538*8fb009dcSAndroid Build Coastguard Worker // returns a non-const pointer for OpenSSL compatibility, but callers should not 1539*8fb009dcSAndroid Build Coastguard Worker // mutate the result. Doing so will break internal invariants in the library. 1540*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_OBJECT *X509_NAME_ENTRY_get_object( 1541*8fb009dcSAndroid Build Coastguard Worker const X509_NAME_ENTRY *entry); 1542*8fb009dcSAndroid Build Coastguard Worker 1543*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_set_object sets |entry|'s attribute type to |obj|. It returns 1544*8fb009dcSAndroid Build Coastguard Worker // one on success and zero on error. 1545*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *entry, 1546*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj); 1547*8fb009dcSAndroid Build Coastguard Worker 1548*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_get_data returns |entry|'s attribute value, represented as an 1549*8fb009dcSAndroid Build Coastguard Worker // |ASN1_STRING|. This value may have any ASN.1 type, so callers must check the 1550*8fb009dcSAndroid Build Coastguard Worker // type before interpreting the contents. This function returns a non-const 1551*8fb009dcSAndroid Build Coastguard Worker // pointer for OpenSSL compatibility, but callers should not mutate the result. 1552*8fb009dcSAndroid Build Coastguard Worker // Doing so will break internal invariants in the library. 1553*8fb009dcSAndroid Build Coastguard Worker // 1554*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/412): Although the spec says any ASN.1 type 1555*8fb009dcSAndroid Build Coastguard Worker // is allowed, we currently only allow an ad-hoc set of types. Additionally, it 1556*8fb009dcSAndroid Build Coastguard Worker // is unclear if some types can even be represented by this function. 1557*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_STRING *X509_NAME_ENTRY_get_data( 1558*8fb009dcSAndroid Build Coastguard Worker const X509_NAME_ENTRY *entry); 1559*8fb009dcSAndroid Build Coastguard Worker 1560*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_set_data sets |entry|'s value to |len| bytes from |bytes|. It 1561*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. If |len| is -1, |bytes| must be a 1562*8fb009dcSAndroid Build Coastguard Worker // NUL-terminated C string and the length is determined by |strlen|. |bytes| is 1563*8fb009dcSAndroid Build Coastguard Worker // converted to an ASN.1 type as follows: 1564*8fb009dcSAndroid Build Coastguard Worker // 1565*8fb009dcSAndroid Build Coastguard Worker // If |type| is a |MBSTRING_*| constant, the value is an ASN.1 string. The 1566*8fb009dcSAndroid Build Coastguard Worker // string is determined by decoding |bytes| in the encoding specified by |type|, 1567*8fb009dcSAndroid Build Coastguard Worker // and then re-encoding it in a form appropriate for |entry|'s attribute type. 1568*8fb009dcSAndroid Build Coastguard Worker // See |ASN1_STRING_set_by_NID| for details. 1569*8fb009dcSAndroid Build Coastguard Worker // 1570*8fb009dcSAndroid Build Coastguard Worker // Otherwise, the value is an |ASN1_STRING| with type |type| and value |bytes|. 1571*8fb009dcSAndroid Build Coastguard Worker // See |ASN1_STRING| for how to format ASN.1 types as an |ASN1_STRING|. If 1572*8fb009dcSAndroid Build Coastguard Worker // |type| is |V_ASN1_UNDEF| the previous |ASN1_STRING| type is reused. 1573*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *entry, int type, 1574*8fb009dcSAndroid Build Coastguard Worker const uint8_t *bytes, 1575*8fb009dcSAndroid Build Coastguard Worker ossl_ssize_t len); 1576*8fb009dcSAndroid Build Coastguard Worker 1577*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_set returns the zero-based index of the RDN which contains 1578*8fb009dcSAndroid Build Coastguard Worker // |entry|. Consecutive entries with the same index are part of the same RDN. 1579*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *entry); 1580*8fb009dcSAndroid Build Coastguard Worker 1581*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_create_by_OBJ creates a new |X509_NAME_ENTRY| with attribute 1582*8fb009dcSAndroid Build Coastguard Worker // type |obj|. The attribute value is determined from |type|, |bytes|, and |len| 1583*8fb009dcSAndroid Build Coastguard Worker // as in |X509_NAME_ENTRY_set_data|. It returns the |X509_NAME_ENTRY| on success 1584*8fb009dcSAndroid Build Coastguard Worker // and NULL on error. 1585*8fb009dcSAndroid Build Coastguard Worker // 1586*8fb009dcSAndroid Build Coastguard Worker // If |out| is non-NULL and |*out| is NULL, it additionally sets |*out| to the 1587*8fb009dcSAndroid Build Coastguard Worker // result on success. If both |out| and |*out| are non-NULL, it updates the 1588*8fb009dcSAndroid Build Coastguard Worker // object at |*out| instead of allocating a new one. 1589*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ( 1590*8fb009dcSAndroid Build Coastguard Worker X509_NAME_ENTRY **out, const ASN1_OBJECT *obj, int type, 1591*8fb009dcSAndroid Build Coastguard Worker const uint8_t *bytes, ossl_ssize_t len); 1592*8fb009dcSAndroid Build Coastguard Worker 1593*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_create_by_NID behaves like |X509_NAME_ENTRY_create_by_OBJ| 1594*8fb009dcSAndroid Build Coastguard Worker // except the attribute type is |nid|, which should be one of the |NID_*| 1595*8fb009dcSAndroid Build Coastguard Worker // constants. 1596*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID( 1597*8fb009dcSAndroid Build Coastguard Worker X509_NAME_ENTRY **out, int nid, int type, const uint8_t *bytes, 1598*8fb009dcSAndroid Build Coastguard Worker ossl_ssize_t len); 1599*8fb009dcSAndroid Build Coastguard Worker 1600*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_ENTRY_create_by_txt behaves like |X509_NAME_ENTRY_create_by_OBJ| 1601*8fb009dcSAndroid Build Coastguard Worker // except the attribute type is |field|, which is passed to |OBJ_txt2obj|. 1602*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt( 1603*8fb009dcSAndroid Build Coastguard Worker X509_NAME_ENTRY **out, const char *field, int type, const uint8_t *bytes, 1604*8fb009dcSAndroid Build Coastguard Worker ossl_ssize_t len); 1605*8fb009dcSAndroid Build Coastguard Worker 1606*8fb009dcSAndroid Build Coastguard Worker 1607*8fb009dcSAndroid Build Coastguard Worker // Public keys. 1608*8fb009dcSAndroid Build Coastguard Worker // 1609*8fb009dcSAndroid Build Coastguard Worker // X.509 encodes public keys as SubjectPublicKeyInfo (RFC 5280), sometimes 1610*8fb009dcSAndroid Build Coastguard Worker // referred to as SPKI. These are represented in this library by |X509_PUBKEY|. 1611*8fb009dcSAndroid Build Coastguard Worker 1612*8fb009dcSAndroid Build Coastguard Worker // X509_PUBKEY_new returns a newly-allocated, empty |X509_PUBKEY| object, or 1613*8fb009dcSAndroid Build Coastguard Worker // NULL on error. 1614*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_PUBKEY *X509_PUBKEY_new(void); 1615*8fb009dcSAndroid Build Coastguard Worker 1616*8fb009dcSAndroid Build Coastguard Worker // X509_PUBKEY_free releases memory associated with |key|. 1617*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_PUBKEY_free(X509_PUBKEY *key); 1618*8fb009dcSAndroid Build Coastguard Worker 1619*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_PUBKEY parses up to |len| bytes from |*inp| as a DER-encoded 1620*8fb009dcSAndroid Build Coastguard Worker // SubjectPublicKeyInfo, as described in |d2i_SAMPLE|. 1621*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_PUBKEY *d2i_X509_PUBKEY(X509_PUBKEY **out, 1622*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, long len); 1623*8fb009dcSAndroid Build Coastguard Worker 1624*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_PUBKEY marshals |key| as a DER-encoded SubjectPublicKeyInfo, as 1625*8fb009dcSAndroid Build Coastguard Worker // described in |i2d_SAMPLE|. 1626*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_PUBKEY(const X509_PUBKEY *key, uint8_t **outp); 1627*8fb009dcSAndroid Build Coastguard Worker 1628*8fb009dcSAndroid Build Coastguard Worker // X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY| 1629*8fb009dcSAndroid Build Coastguard Worker // structure. On success, it frees |*x| if non-NULL, then sets |*x| to the new 1630*8fb009dcSAndroid Build Coastguard Worker // object, and returns one. Otherwise, it returns zero. 1631*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); 1632*8fb009dcSAndroid Build Coastguard Worker 1633*8fb009dcSAndroid Build Coastguard Worker // X509_PUBKEY_get0 returns |key| as an |EVP_PKEY|, or NULL if |key| either 1634*8fb009dcSAndroid Build Coastguard Worker // could not be parsed or is an unrecognized algorithm. The |EVP_PKEY| is cached 1635*8fb009dcSAndroid Build Coastguard Worker // in |key|, so callers must not mutate the result. 1636*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key); 1637*8fb009dcSAndroid Build Coastguard Worker 1638*8fb009dcSAndroid Build Coastguard Worker // X509_PUBKEY_get behaves like |X509_PUBKEY_get0| but increments the reference 1639*8fb009dcSAndroid Build Coastguard Worker // count on the |EVP_PKEY|. The caller must release the result with 1640*8fb009dcSAndroid Build Coastguard Worker // |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must 1641*8fb009dcSAndroid Build Coastguard Worker // not mutate the result. 1642*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key); 1643*8fb009dcSAndroid Build Coastguard Worker 1644*8fb009dcSAndroid Build Coastguard Worker // X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier 1645*8fb009dcSAndroid Build Coastguard Worker // determined by |obj|, |param_type|, and |param_value|, and an encoded 1646*8fb009dcSAndroid Build Coastguard Worker // public key of |key|. On success, it gives |pub| ownership of all the other 1647*8fb009dcSAndroid Build Coastguard Worker // parameters and returns one. Otherwise, it returns zero. |key| must have been 1648*8fb009dcSAndroid Build Coastguard Worker // allocated by |OPENSSL_malloc|. |obj| and, if applicable, |param_value| must 1649*8fb009dcSAndroid Build Coastguard Worker // not be freed after a successful call, and must have been allocated in a 1650*8fb009dcSAndroid Build Coastguard Worker // manner compatible with |ASN1_OBJECT_free| or |ASN1_STRING_free|. 1651*8fb009dcSAndroid Build Coastguard Worker // 1652*8fb009dcSAndroid Build Coastguard Worker // |obj|, |param_type|, and |param_value| are interpreted as in 1653*8fb009dcSAndroid Build Coastguard Worker // |X509_ALGOR_set0|. See |X509_ALGOR_set0| for details. 1654*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, 1655*8fb009dcSAndroid Build Coastguard Worker int param_type, void *param_value, 1656*8fb009dcSAndroid Build Coastguard Worker uint8_t *key, int key_len); 1657*8fb009dcSAndroid Build Coastguard Worker 1658*8fb009dcSAndroid Build Coastguard Worker // X509_PUBKEY_get0_param outputs fields of |pub| and returns one. If |out_obj| 1659*8fb009dcSAndroid Build Coastguard Worker // is not NULL, it sets |*out_obj| to AlgorithmIdentifier's OID. If |out_key| 1660*8fb009dcSAndroid Build Coastguard Worker // is not NULL, it sets |*out_key| and |*out_key_len| to the encoded public key. 1661*8fb009dcSAndroid Build Coastguard Worker // If |out_alg| is not NULL, it sets |*out_alg| to the AlgorithmIdentifier. 1662*8fb009dcSAndroid Build Coastguard Worker // 1663*8fb009dcSAndroid Build Coastguard Worker // All pointers outputted by this function are internal to |pub| and must not be 1664*8fb009dcSAndroid Build Coastguard Worker // freed by the caller. Additionally, although some outputs are non-const, 1665*8fb009dcSAndroid Build Coastguard Worker // callers must not mutate the resulting objects. 1666*8fb009dcSAndroid Build Coastguard Worker // 1667*8fb009dcSAndroid Build Coastguard Worker // Note: X.509 SubjectPublicKeyInfo structures store the encoded public key as a 1668*8fb009dcSAndroid Build Coastguard Worker // BIT STRING. |*out_key| and |*out_key_len| will silently pad the key with zero 1669*8fb009dcSAndroid Build Coastguard Worker // bits if |pub| did not contain a whole number of bytes. Use 1670*8fb009dcSAndroid Build Coastguard Worker // |X509_PUBKEY_get0_public_key| to preserve this information. 1671*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_PUBKEY_get0_param(ASN1_OBJECT **out_obj, 1672*8fb009dcSAndroid Build Coastguard Worker const uint8_t **out_key, 1673*8fb009dcSAndroid Build Coastguard Worker int *out_key_len, 1674*8fb009dcSAndroid Build Coastguard Worker X509_ALGOR **out_alg, 1675*8fb009dcSAndroid Build Coastguard Worker X509_PUBKEY *pub); 1676*8fb009dcSAndroid Build Coastguard Worker 1677*8fb009dcSAndroid Build Coastguard Worker // X509_PUBKEY_get0_public_key returns |pub|'s encoded public key. 1678*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const ASN1_BIT_STRING *X509_PUBKEY_get0_public_key( 1679*8fb009dcSAndroid Build Coastguard Worker const X509_PUBKEY *pub); 1680*8fb009dcSAndroid Build Coastguard Worker 1681*8fb009dcSAndroid Build Coastguard Worker 1682*8fb009dcSAndroid Build Coastguard Worker // Extensions. 1683*8fb009dcSAndroid Build Coastguard Worker // 1684*8fb009dcSAndroid Build Coastguard Worker // X.509 certificates and CRLs may contain a list of extensions (RFC 5280). 1685*8fb009dcSAndroid Build Coastguard Worker // Extensions have a type, specified by an object identifier (|ASN1_OBJECT|) and 1686*8fb009dcSAndroid Build Coastguard Worker // a byte string value, which should a DER-encoded structure whose type is 1687*8fb009dcSAndroid Build Coastguard Worker // determined by the extension type. This library represents extensions with the 1688*8fb009dcSAndroid Build Coastguard Worker // |X509_EXTENSION| type. 1689*8fb009dcSAndroid Build Coastguard Worker 1690*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC 1691*8fb009dcSAndroid Build Coastguard Worker // 5280) and C type is |X509_EXTENSION*|. 1692*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(X509_EXTENSION) 1693*8fb009dcSAndroid Build Coastguard Worker 1694*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_new returns a newly-allocated, empty |X509_EXTENSION| object 1695*8fb009dcSAndroid Build Coastguard Worker // or NULL on error. 1696*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_new(void); 1697*8fb009dcSAndroid Build Coastguard Worker 1698*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_free releases memory associated with |ex|. 1699*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_EXTENSION_free(X509_EXTENSION *ex); 1700*8fb009dcSAndroid Build Coastguard Worker 1701*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_EXTENSION parses up to |len| bytes from |*inp| as a DER-encoded 1702*8fb009dcSAndroid Build Coastguard Worker // X.509 Extension (RFC 5280), as described in |d2i_SAMPLE|. 1703*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **out, 1704*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, 1705*8fb009dcSAndroid Build Coastguard Worker long len); 1706*8fb009dcSAndroid Build Coastguard Worker 1707*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_EXTENSION marshals |ex| as a DER-encoded X.509 Extension (RFC 1708*8fb009dcSAndroid Build Coastguard Worker // 5280), as described in |i2d_SAMPLE|. 1709*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_EXTENSION(const X509_EXTENSION *ex, uint8_t **outp); 1710*8fb009dcSAndroid Build Coastguard Worker 1711*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_dup returns a newly-allocated copy of |ex|, or NULL on error. 1712*8fb009dcSAndroid Build Coastguard Worker // This function works by serializing the structure, so if |ex| is incomplete, 1713*8fb009dcSAndroid Build Coastguard Worker // it may fail. 1714*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(const X509_EXTENSION *ex); 1715*8fb009dcSAndroid Build Coastguard Worker 1716*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|, 1717*8fb009dcSAndroid Build Coastguard Worker // value |data|, and critical bit |crit|. It returns an |X509_EXTENSION| on 1718*8fb009dcSAndroid Build Coastguard Worker // success, and NULL on error. |nid| should be a |NID_*| constant. 1719*8fb009dcSAndroid Build Coastguard Worker // 1720*8fb009dcSAndroid Build Coastguard Worker // If |ex| and |*ex| are both non-NULL, |*ex| is used to hold the result, 1721*8fb009dcSAndroid Build Coastguard Worker // otherwise a new object is allocated. If |ex| is non-NULL and |*ex| is NULL, 1722*8fb009dcSAndroid Build Coastguard Worker // the function sets |*ex| to point to the newly allocated result, in addition 1723*8fb009dcSAndroid Build Coastguard Worker // to returning the result. 1724*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_NID( 1725*8fb009dcSAndroid Build Coastguard Worker X509_EXTENSION **ex, int nid, int crit, const ASN1_OCTET_STRING *data); 1726*8fb009dcSAndroid Build Coastguard Worker 1727*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_create_by_OBJ behaves like |X509_EXTENSION_create_by_NID|, but 1728*8fb009dcSAndroid Build Coastguard Worker // the extension type is determined by an |ASN1_OBJECT|. 1729*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_OBJ( 1730*8fb009dcSAndroid Build Coastguard Worker X509_EXTENSION **ex, const ASN1_OBJECT *obj, int crit, 1731*8fb009dcSAndroid Build Coastguard Worker const ASN1_OCTET_STRING *data); 1732*8fb009dcSAndroid Build Coastguard Worker 1733*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_get_object returns |ex|'s extension type. This function 1734*8fb009dcSAndroid Build Coastguard Worker // returns a non-const pointer for OpenSSL compatibility, but callers should not 1735*8fb009dcSAndroid Build Coastguard Worker // mutate the result. 1736*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_OBJECT *X509_EXTENSION_get_object(const X509_EXTENSION *ex); 1737*8fb009dcSAndroid Build Coastguard Worker 1738*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_get_data returns |ne|'s extension value. This function returns 1739*8fb009dcSAndroid Build Coastguard Worker // a non-const pointer for OpenSSL compatibility, but callers should not mutate 1740*8fb009dcSAndroid Build Coastguard Worker // the result. 1741*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_OCTET_STRING *X509_EXTENSION_get_data( 1742*8fb009dcSAndroid Build Coastguard Worker const X509_EXTENSION *ne); 1743*8fb009dcSAndroid Build Coastguard Worker 1744*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_get_critical returns one if |ex| is critical and zero 1745*8fb009dcSAndroid Build Coastguard Worker // otherwise. 1746*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_EXTENSION_get_critical(const X509_EXTENSION *ex); 1747*8fb009dcSAndroid Build Coastguard Worker 1748*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_set_object sets |ex|'s extension type to |obj|. It returns one 1749*8fb009dcSAndroid Build Coastguard Worker // on success and zero on error. 1750*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_EXTENSION_set_object(X509_EXTENSION *ex, 1751*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj); 1752*8fb009dcSAndroid Build Coastguard Worker 1753*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_set_critical sets |ex| to critical if |crit| is non-zero and 1754*8fb009dcSAndroid Build Coastguard Worker // to non-critical if |crit| is zero. 1755*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit); 1756*8fb009dcSAndroid Build Coastguard Worker 1757*8fb009dcSAndroid Build Coastguard Worker // X509_EXTENSION_set_data set's |ex|'s extension value to a copy of |data|. It 1758*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. 1759*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex, 1760*8fb009dcSAndroid Build Coastguard Worker const ASN1_OCTET_STRING *data); 1761*8fb009dcSAndroid Build Coastguard Worker 1762*8fb009dcSAndroid Build Coastguard Worker 1763*8fb009dcSAndroid Build Coastguard Worker // Extension lists. 1764*8fb009dcSAndroid Build Coastguard Worker // 1765*8fb009dcSAndroid Build Coastguard Worker // The following functions manipulate lists of extensions. Most of them have 1766*8fb009dcSAndroid Build Coastguard Worker // corresponding functions on the containing |X509|, |X509_CRL|, or 1767*8fb009dcSAndroid Build Coastguard Worker // |X509_REVOKED|. 1768*8fb009dcSAndroid Build Coastguard Worker 1769*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(X509_EXTENSION) 1770*8fb009dcSAndroid Build Coastguard Worker typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; 1771*8fb009dcSAndroid Build Coastguard Worker 1772*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_EXTENSIONS parses up to |len| bytes from |*inp| as a DER-encoded 1773*8fb009dcSAndroid Build Coastguard Worker // SEQUENCE OF Extension (RFC 5280), as described in |d2i_SAMPLE|. 1774*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSIONS *d2i_X509_EXTENSIONS(X509_EXTENSIONS **out, 1775*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, 1776*8fb009dcSAndroid Build Coastguard Worker long len); 1777*8fb009dcSAndroid Build Coastguard Worker 1778*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_EXTENSIONS marshals |alg| as a DER-encoded SEQUENCE OF Extension 1779*8fb009dcSAndroid Build Coastguard Worker // (RFC 5280), as described in |i2d_SAMPLE|. 1780*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_EXTENSIONS(const X509_EXTENSIONS *alg, 1781*8fb009dcSAndroid Build Coastguard Worker uint8_t **outp); 1782*8fb009dcSAndroid Build Coastguard Worker 1783*8fb009dcSAndroid Build Coastguard Worker // X509v3_get_ext_count returns the number of extensions in |x|. 1784*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x); 1785*8fb009dcSAndroid Build Coastguard Worker 1786*8fb009dcSAndroid Build Coastguard Worker // X509v3_get_ext_by_NID returns the index of the first extension in |x| with 1787*8fb009dcSAndroid Build Coastguard Worker // type |nid|, or a negative number if not found. If found, callers can use 1788*8fb009dcSAndroid Build Coastguard Worker // |X509v3_get_ext| to look up the extension by index. 1789*8fb009dcSAndroid Build Coastguard Worker // 1790*8fb009dcSAndroid Build Coastguard Worker // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1791*8fb009dcSAndroid Build Coastguard Worker // can thus loop over all matching extensions by first passing -1 and then 1792*8fb009dcSAndroid Build Coastguard Worker // passing the previously-returned value until no match is returned. 1793*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, 1794*8fb009dcSAndroid Build Coastguard Worker int nid, int lastpos); 1795*8fb009dcSAndroid Build Coastguard Worker 1796*8fb009dcSAndroid Build Coastguard Worker // X509v3_get_ext_by_OBJ behaves like |X509v3_get_ext_by_NID| but looks for 1797*8fb009dcSAndroid Build Coastguard Worker // extensions matching |obj|. 1798*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x, 1799*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj, int lastpos); 1800*8fb009dcSAndroid Build Coastguard Worker 1801*8fb009dcSAndroid Build Coastguard Worker // X509v3_get_ext_by_critical returns the index of the first extension in |x| 1802*8fb009dcSAndroid Build Coastguard Worker // whose critical bit matches |crit|, or a negative number if no such extension 1803*8fb009dcSAndroid Build Coastguard Worker // was found. 1804*8fb009dcSAndroid Build Coastguard Worker // 1805*8fb009dcSAndroid Build Coastguard Worker // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers 1806*8fb009dcSAndroid Build Coastguard Worker // can thus loop over all matching extensions by first passing -1 and then 1807*8fb009dcSAndroid Build Coastguard Worker // passing the previously-returned value until no match is returned. 1808*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x, 1809*8fb009dcSAndroid Build Coastguard Worker int crit, int lastpos); 1810*8fb009dcSAndroid Build Coastguard Worker 1811*8fb009dcSAndroid Build Coastguard Worker // X509v3_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| 1812*8fb009dcSAndroid Build Coastguard Worker // is out of bounds. This function returns a non-const pointer for OpenSSL 1813*8fb009dcSAndroid Build Coastguard Worker // compatibility, but callers should not mutate the result. 1814*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, 1815*8fb009dcSAndroid Build Coastguard Worker int loc); 1816*8fb009dcSAndroid Build Coastguard Worker 1817*8fb009dcSAndroid Build Coastguard Worker // X509v3_delete_ext removes the extension in |x| at index |loc| and returns the 1818*8fb009dcSAndroid Build Coastguard Worker // removed extension, or NULL if |loc| was out of bounds. If an extension was 1819*8fb009dcSAndroid Build Coastguard Worker // returned, the caller must release it with |X509_EXTENSION_free|. 1820*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, 1821*8fb009dcSAndroid Build Coastguard Worker int loc); 1822*8fb009dcSAndroid Build Coastguard Worker 1823*8fb009dcSAndroid Build Coastguard Worker // X509v3_add_ext adds a copy of |ex| to the extension list in |*x|. If |*x| is 1824*8fb009dcSAndroid Build Coastguard Worker // NULL, it allocates a new |STACK_OF(X509_EXTENSION)| to hold the copy and sets 1825*8fb009dcSAndroid Build Coastguard Worker // |*x| to the new list. It returns |*x| on success and NULL on error. The 1826*8fb009dcSAndroid Build Coastguard Worker // caller retains ownership of |ex| and can release it independently of |*x|. 1827*8fb009dcSAndroid Build Coastguard Worker // 1828*8fb009dcSAndroid Build Coastguard Worker // The new extension is inserted at index |loc|, shifting extensions to the 1829*8fb009dcSAndroid Build Coastguard Worker // right. If |loc| is -1 or out of bounds, the new extension is appended to the 1830*8fb009dcSAndroid Build Coastguard Worker // list. 1831*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext( 1832*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509_EXTENSION) **x, const X509_EXTENSION *ex, int loc); 1833*8fb009dcSAndroid Build Coastguard Worker 1834*8fb009dcSAndroid Build Coastguard Worker 1835*8fb009dcSAndroid Build Coastguard Worker // Built-in extensions. 1836*8fb009dcSAndroid Build Coastguard Worker // 1837*8fb009dcSAndroid Build Coastguard Worker // Several functions in the library encode and decode extension values into a 1838*8fb009dcSAndroid Build Coastguard Worker // C structure to that extension. The following extensions are supported: 1839*8fb009dcSAndroid Build Coastguard Worker // 1840*8fb009dcSAndroid Build Coastguard Worker // - |NID_authority_key_identifier| with type |AUTHORITY_KEYID| 1841*8fb009dcSAndroid Build Coastguard Worker // - |NID_basic_constraints| with type |BASIC_CONSTRAINTS| 1842*8fb009dcSAndroid Build Coastguard Worker // - |NID_certificate_issuer| with type |GENERAL_NAMES| 1843*8fb009dcSAndroid Build Coastguard Worker // - |NID_certificate_policies| with type |CERTIFICATEPOLICIES| 1844*8fb009dcSAndroid Build Coastguard Worker // - |NID_crl_distribution_points| with type |CRL_DIST_POINTS| 1845*8fb009dcSAndroid Build Coastguard Worker // - |NID_crl_number| with type |ASN1_INTEGER| 1846*8fb009dcSAndroid Build Coastguard Worker // - |NID_crl_reason| with type |ASN1_ENUMERATED| 1847*8fb009dcSAndroid Build Coastguard Worker // - |NID_delta_crl| with type |ASN1_INTEGER| 1848*8fb009dcSAndroid Build Coastguard Worker // - |NID_ext_key_usage| with type |EXTENDED_KEY_USAGE| 1849*8fb009dcSAndroid Build Coastguard Worker // - |NID_freshest_crl| with type |ISSUING_DIST_POINT| 1850*8fb009dcSAndroid Build Coastguard Worker // - |NID_id_pkix_OCSP_noCheck| with type |ASN1_NULL| 1851*8fb009dcSAndroid Build Coastguard Worker // - |NID_info_access| with type |AUTHORITY_INFO_ACCESS| 1852*8fb009dcSAndroid Build Coastguard Worker // - |NID_inhibit_any_policy| with type |ASN1_INTEGER| 1853*8fb009dcSAndroid Build Coastguard Worker // - |NID_invalidity_date| with type |ASN1_GENERALIZEDTIME| 1854*8fb009dcSAndroid Build Coastguard Worker // - |NID_issuer_alt_name| with type |GENERAL_NAMES| 1855*8fb009dcSAndroid Build Coastguard Worker // - |NID_issuing_distribution_point| with type |ISSUING_DIST_POINT| 1856*8fb009dcSAndroid Build Coastguard Worker // - |NID_key_usage| with type |ASN1_BIT_STRING| 1857*8fb009dcSAndroid Build Coastguard Worker // - |NID_name_constraints| with type |NAME_CONSTRAINTS| 1858*8fb009dcSAndroid Build Coastguard Worker // - |NID_netscape_base_url| with type |ASN1_IA5STRING| 1859*8fb009dcSAndroid Build Coastguard Worker // - |NID_netscape_ca_policy_url| with type |ASN1_IA5STRING| 1860*8fb009dcSAndroid Build Coastguard Worker // - |NID_netscape_ca_revocation_url| with type |ASN1_IA5STRING| 1861*8fb009dcSAndroid Build Coastguard Worker // - |NID_netscape_cert_type| with type |ASN1_BIT_STRING| 1862*8fb009dcSAndroid Build Coastguard Worker // - |NID_netscape_comment| with type |ASN1_IA5STRING| 1863*8fb009dcSAndroid Build Coastguard Worker // - |NID_netscape_renewal_url| with type |ASN1_IA5STRING| 1864*8fb009dcSAndroid Build Coastguard Worker // - |NID_netscape_revocation_url| with type |ASN1_IA5STRING| 1865*8fb009dcSAndroid Build Coastguard Worker // - |NID_netscape_ssl_server_name| with type |ASN1_IA5STRING| 1866*8fb009dcSAndroid Build Coastguard Worker // - |NID_policy_constraints| with type |POLICY_CONSTRAINTS| 1867*8fb009dcSAndroid Build Coastguard Worker // - |NID_policy_mappings| with type |POLICY_MAPPINGS| 1868*8fb009dcSAndroid Build Coastguard Worker // - |NID_sinfo_access| with type |AUTHORITY_INFO_ACCESS| 1869*8fb009dcSAndroid Build Coastguard Worker // - |NID_subject_alt_name| with type |GENERAL_NAMES| 1870*8fb009dcSAndroid Build Coastguard Worker // - |NID_subject_key_identifier| with type |ASN1_OCTET_STRING| 1871*8fb009dcSAndroid Build Coastguard Worker // 1872*8fb009dcSAndroid Build Coastguard Worker // If an extension does not appear in this list, e.g. for a custom extension, 1873*8fb009dcSAndroid Build Coastguard Worker // callers can instead use functions such as |X509_get_ext_by_OBJ|, 1874*8fb009dcSAndroid Build Coastguard Worker // |X509_EXTENSION_get_data|, and |X509_EXTENSION_create_by_OBJ| to inspect or 1875*8fb009dcSAndroid Build Coastguard Worker // create extensions directly. Although the |X509V3_EXT_METHOD| mechanism allows 1876*8fb009dcSAndroid Build Coastguard Worker // registering custom extensions, doing so is deprecated and may result in 1877*8fb009dcSAndroid Build Coastguard Worker // threading or memory errors. 1878*8fb009dcSAndroid Build Coastguard Worker 1879*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_d2i decodes |ext| and returns a pointer to a newly-allocated 1880*8fb009dcSAndroid Build Coastguard Worker // structure, with type dependent on the type of the extension. It returns NULL 1881*8fb009dcSAndroid Build Coastguard Worker // if |ext| is an unsupported extension or if there was a syntax error in the 1882*8fb009dcSAndroid Build Coastguard Worker // extension. The caller should cast the return value to the expected type and 1883*8fb009dcSAndroid Build Coastguard Worker // free the structure when done. 1884*8fb009dcSAndroid Build Coastguard Worker // 1885*8fb009dcSAndroid Build Coastguard Worker // WARNING: Casting the return value to the wrong type is a potentially 1886*8fb009dcSAndroid Build Coastguard Worker // exploitable memory error, so callers must not use this function before 1887*8fb009dcSAndroid Build Coastguard Worker // checking |ext| is of a known type. See the list at the top of this section 1888*8fb009dcSAndroid Build Coastguard Worker // for the correct types. 1889*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext); 1890*8fb009dcSAndroid Build Coastguard Worker 1891*8fb009dcSAndroid Build Coastguard Worker // X509V3_get_d2i finds and decodes the extension in |extensions| of type |nid|. 1892*8fb009dcSAndroid Build Coastguard Worker // If found, it decodes it and returns a newly-allocated structure, with type 1893*8fb009dcSAndroid Build Coastguard Worker // dependent on |nid|. If the extension is not found or on error, it returns 1894*8fb009dcSAndroid Build Coastguard Worker // NULL. The caller may distinguish these cases using the |out_critical| value. 1895*8fb009dcSAndroid Build Coastguard Worker // 1896*8fb009dcSAndroid Build Coastguard Worker // If |out_critical| is not NULL, this function sets |*out_critical| to one if 1897*8fb009dcSAndroid Build Coastguard Worker // the extension is found and critical, zero if it is found and not critical, -1 1898*8fb009dcSAndroid Build Coastguard Worker // if it is not found, and -2 if there is an invalid duplicate extension. Note 1899*8fb009dcSAndroid Build Coastguard Worker // this function may set |*out_critical| to one or zero and still return NULL if 1900*8fb009dcSAndroid Build Coastguard Worker // the extension is found but has a syntax error. 1901*8fb009dcSAndroid Build Coastguard Worker // 1902*8fb009dcSAndroid Build Coastguard Worker // If |out_idx| is not NULL, this function looks for the first occurrence of the 1903*8fb009dcSAndroid Build Coastguard Worker // extension after |*out_idx|. It then sets |*out_idx| to the index of the 1904*8fb009dcSAndroid Build Coastguard Worker // extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions 1905*8fb009dcSAndroid Build Coastguard Worker // are not treated as an error. Callers, however, should not rely on this 1906*8fb009dcSAndroid Build Coastguard Worker // behavior as it may be removed in the future. Duplicate extensions are 1907*8fb009dcSAndroid Build Coastguard Worker // forbidden in RFC 5280. 1908*8fb009dcSAndroid Build Coastguard Worker // 1909*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function is difficult to use correctly. Callers should pass a 1910*8fb009dcSAndroid Build Coastguard Worker // non-NULL |out_critical| and check both the return value and |*out_critical| 1911*8fb009dcSAndroid Build Coastguard Worker // to handle errors. If the return value is NULL and |*out_critical| is not -1, 1912*8fb009dcSAndroid Build Coastguard Worker // there was an error. Otherwise, the function succeeded and but may return NULL 1913*8fb009dcSAndroid Build Coastguard Worker // for a missing extension. Callers should pass NULL to |out_idx| so that 1914*8fb009dcSAndroid Build Coastguard Worker // duplicate extensions are handled correctly. 1915*8fb009dcSAndroid Build Coastguard Worker // 1916*8fb009dcSAndroid Build Coastguard Worker // Additionally, casting the return value to the wrong type is a potentially 1917*8fb009dcSAndroid Build Coastguard Worker // exploitable memory error, so callers must ensure the cast and |nid| match. 1918*8fb009dcSAndroid Build Coastguard Worker // See the list at the top of this section for the correct types. 1919*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, 1920*8fb009dcSAndroid Build Coastguard Worker int nid, int *out_critical, int *out_idx); 1921*8fb009dcSAndroid Build Coastguard Worker 1922*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_free casts |ext_data| into the type that corresponds to |nid| and 1923*8fb009dcSAndroid Build Coastguard Worker // releases memory associated with it. It returns one on success and zero if 1924*8fb009dcSAndroid Build Coastguard Worker // |nid| is not a known extension. 1925*8fb009dcSAndroid Build Coastguard Worker // 1926*8fb009dcSAndroid Build Coastguard Worker // WARNING: Casting |ext_data| to the wrong type is a potentially exploitable 1927*8fb009dcSAndroid Build Coastguard Worker // memory error, so callers must ensure |ext_data|'s type matches |nid|. See the 1928*8fb009dcSAndroid Build Coastguard Worker // list at the top of this section for the correct types. 1929*8fb009dcSAndroid Build Coastguard Worker // 1930*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): OpenSSL upstream no longer exposes this function. Remove it? 1931*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509V3_EXT_free(int nid, void *ext_data); 1932*8fb009dcSAndroid Build Coastguard Worker 1933*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_i2d casts |ext_struc| into the type that corresponds to 1934*8fb009dcSAndroid Build Coastguard Worker // |ext_nid|, serializes it, and returns a newly-allocated |X509_EXTENSION| 1935*8fb009dcSAndroid Build Coastguard Worker // object containing the serialization, or NULL on error. The |X509_EXTENSION| 1936*8fb009dcSAndroid Build Coastguard Worker // has OID |ext_nid| and is critical if |crit| is one. 1937*8fb009dcSAndroid Build Coastguard Worker // 1938*8fb009dcSAndroid Build Coastguard Worker // WARNING: Casting |ext_struc| to the wrong type is a potentially exploitable 1939*8fb009dcSAndroid Build Coastguard Worker // memory error, so callers must ensure |ext_struct|'s type matches |ext_nid|. 1940*8fb009dcSAndroid Build Coastguard Worker // See the list at the top of this section for the correct types. 1941*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, 1942*8fb009dcSAndroid Build Coastguard Worker void *ext_struc); 1943*8fb009dcSAndroid Build Coastguard Worker 1944*8fb009dcSAndroid Build Coastguard Worker // The following constants control the behavior of |X509V3_add1_i2d| and related 1945*8fb009dcSAndroid Build Coastguard Worker // functions. 1946*8fb009dcSAndroid Build Coastguard Worker 1947*8fb009dcSAndroid Build Coastguard Worker // X509V3_ADD_OP_MASK can be ANDed with the flags to determine how duplicate 1948*8fb009dcSAndroid Build Coastguard Worker // extensions are processed. 1949*8fb009dcSAndroid Build Coastguard Worker #define X509V3_ADD_OP_MASK 0xfL 1950*8fb009dcSAndroid Build Coastguard Worker 1951*8fb009dcSAndroid Build Coastguard Worker // X509V3_ADD_DEFAULT causes the function to fail if the extension was already 1952*8fb009dcSAndroid Build Coastguard Worker // present. 1953*8fb009dcSAndroid Build Coastguard Worker #define X509V3_ADD_DEFAULT 0L 1954*8fb009dcSAndroid Build Coastguard Worker 1955*8fb009dcSAndroid Build Coastguard Worker // X509V3_ADD_APPEND causes the function to unconditionally appended the new 1956*8fb009dcSAndroid Build Coastguard Worker // extension to to the extensions list, even if there is a duplicate. 1957*8fb009dcSAndroid Build Coastguard Worker #define X509V3_ADD_APPEND 1L 1958*8fb009dcSAndroid Build Coastguard Worker 1959*8fb009dcSAndroid Build Coastguard Worker // X509V3_ADD_REPLACE causes the function to replace the existing extension, or 1960*8fb009dcSAndroid Build Coastguard Worker // append if it is not present. 1961*8fb009dcSAndroid Build Coastguard Worker #define X509V3_ADD_REPLACE 2L 1962*8fb009dcSAndroid Build Coastguard Worker 1963*8fb009dcSAndroid Build Coastguard Worker // X509V3_ADD_REPLACE_EXISTING causes the function to replace the existing 1964*8fb009dcSAndroid Build Coastguard Worker // extension and fail if it is not present. 1965*8fb009dcSAndroid Build Coastguard Worker #define X509V3_ADD_REPLACE_EXISTING 3L 1966*8fb009dcSAndroid Build Coastguard Worker 1967*8fb009dcSAndroid Build Coastguard Worker // X509V3_ADD_KEEP_EXISTING causes the function to succeed without replacing the 1968*8fb009dcSAndroid Build Coastguard Worker // extension if already present. 1969*8fb009dcSAndroid Build Coastguard Worker #define X509V3_ADD_KEEP_EXISTING 4L 1970*8fb009dcSAndroid Build Coastguard Worker 1971*8fb009dcSAndroid Build Coastguard Worker // X509V3_ADD_DELETE causes the function to remove the matching extension. No 1972*8fb009dcSAndroid Build Coastguard Worker // new extension is added. If there is no matching extension, the function 1973*8fb009dcSAndroid Build Coastguard Worker // fails. The |value| parameter is ignored in this mode. 1974*8fb009dcSAndroid Build Coastguard Worker #define X509V3_ADD_DELETE 5L 1975*8fb009dcSAndroid Build Coastguard Worker 1976*8fb009dcSAndroid Build Coastguard Worker // X509V3_ADD_SILENT may be ORed into one of the values above to indicate the 1977*8fb009dcSAndroid Build Coastguard Worker // function should not add to the error queue on duplicate or missing extension. 1978*8fb009dcSAndroid Build Coastguard Worker // The function will continue to return zero in those cases, and it will 1979*8fb009dcSAndroid Build Coastguard Worker // continue to return -1 and add to the error queue on other errors. 1980*8fb009dcSAndroid Build Coastguard Worker #define X509V3_ADD_SILENT 0x10 1981*8fb009dcSAndroid Build Coastguard Worker 1982*8fb009dcSAndroid Build Coastguard Worker // X509V3_add1_i2d casts |value| to the type that corresponds to |nid|, 1983*8fb009dcSAndroid Build Coastguard Worker // serializes it, and appends it to the extension list in |*x|. If |*x| is NULL, 1984*8fb009dcSAndroid Build Coastguard Worker // it will set |*x| to a newly-allocated |STACK_OF(X509_EXTENSION)| as needed. 1985*8fb009dcSAndroid Build Coastguard Worker // The |crit| parameter determines whether the new extension is critical. 1986*8fb009dcSAndroid Build Coastguard Worker // |flags| may be some combination of the |X509V3_ADD_*| constants to control 1987*8fb009dcSAndroid Build Coastguard Worker // the function's behavior on duplicate extension. 1988*8fb009dcSAndroid Build Coastguard Worker // 1989*8fb009dcSAndroid Build Coastguard Worker // This function returns one on success, zero if the operation failed due to a 1990*8fb009dcSAndroid Build Coastguard Worker // missing or duplicate extension, and -1 on other errors. 1991*8fb009dcSAndroid Build Coastguard Worker // 1992*8fb009dcSAndroid Build Coastguard Worker // WARNING: Casting |value| to the wrong type is a potentially exploitable 1993*8fb009dcSAndroid Build Coastguard Worker // memory error, so callers must ensure |value|'s type matches |nid|. See the 1994*8fb009dcSAndroid Build Coastguard Worker // list at the top of this section for the correct types. 1995*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, 1996*8fb009dcSAndroid Build Coastguard Worker void *value, int crit, unsigned long flags); 1997*8fb009dcSAndroid Build Coastguard Worker 1998*8fb009dcSAndroid Build Coastguard Worker 1999*8fb009dcSAndroid Build Coastguard Worker // Basic constraints. 2000*8fb009dcSAndroid Build Coastguard Worker // 2001*8fb009dcSAndroid Build Coastguard Worker // The basic constraints extension (RFC 5280, section 4.2.1.9) determines 2002*8fb009dcSAndroid Build Coastguard Worker // whether a certificate is a CA certificate and, if so, optionally constrains 2003*8fb009dcSAndroid Build Coastguard Worker // the maximum depth of the certificate chain. 2004*8fb009dcSAndroid Build Coastguard Worker 2005*8fb009dcSAndroid Build Coastguard Worker // A BASIC_CONSTRAINTS_st, aka |BASIC_CONSTRAINTS| represents an 2006*8fb009dcSAndroid Build Coastguard Worker // BasicConstraints structure (RFC 5280). 2007*8fb009dcSAndroid Build Coastguard Worker struct BASIC_CONSTRAINTS_st { 2008*8fb009dcSAndroid Build Coastguard Worker ASN1_BOOLEAN ca; 2009*8fb009dcSAndroid Build Coastguard Worker ASN1_INTEGER *pathlen; 2010*8fb009dcSAndroid Build Coastguard Worker } /* BASIC_CONSTRAINTS */; 2011*8fb009dcSAndroid Build Coastguard Worker 2012*8fb009dcSAndroid Build Coastguard Worker // BASIC_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is BasicConstraints (RFC 2013*8fb009dcSAndroid Build Coastguard Worker // 5280) and C type is |BASIC_CONSTRAINTS*|. 2014*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(BASIC_CONSTRAINTS) 2015*8fb009dcSAndroid Build Coastguard Worker 2016*8fb009dcSAndroid Build Coastguard Worker // BASIC_CONSTRAINTS_new returns a newly-allocated, empty |BASIC_CONSTRAINTS| 2017*8fb009dcSAndroid Build Coastguard Worker // object, or NULL on error. 2018*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void); 2019*8fb009dcSAndroid Build Coastguard Worker 2020*8fb009dcSAndroid Build Coastguard Worker // BASIC_CONSTRAINTS_free releases memory associated with |bcons|. 2021*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *bcons); 2022*8fb009dcSAndroid Build Coastguard Worker 2023*8fb009dcSAndroid Build Coastguard Worker // d2i_BASIC_CONSTRAINTS parses up to |len| bytes from |*inp| as a DER-encoded 2024*8fb009dcSAndroid Build Coastguard Worker // BasicConstraints (RFC 5280), as described in |d2i_SAMPLE|. 2025*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **out, 2026*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, 2027*8fb009dcSAndroid Build Coastguard Worker long len); 2028*8fb009dcSAndroid Build Coastguard Worker 2029*8fb009dcSAndroid Build Coastguard Worker // i2d_BASIC_CONSTRAINTS marshals |bcons| as a DER-encoded BasicConstraints (RFC 2030*8fb009dcSAndroid Build Coastguard Worker // 5280), as described in |i2d_SAMPLE|. 2031*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_BASIC_CONSTRAINTS(const BASIC_CONSTRAINTS *bcons, 2032*8fb009dcSAndroid Build Coastguard Worker uint8_t **outp); 2033*8fb009dcSAndroid Build Coastguard Worker 2034*8fb009dcSAndroid Build Coastguard Worker 2035*8fb009dcSAndroid Build Coastguard Worker // Extended key usage. 2036*8fb009dcSAndroid Build Coastguard Worker // 2037*8fb009dcSAndroid Build Coastguard Worker // The extended key usage extension (RFC 5280, section 4.2.1.12) indicates the 2038*8fb009dcSAndroid Build Coastguard Worker // purposes of the certificate's public key. Such constraints are important to 2039*8fb009dcSAndroid Build Coastguard Worker // avoid cross-protocol attacks. 2040*8fb009dcSAndroid Build Coastguard Worker 2041*8fb009dcSAndroid Build Coastguard Worker typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE; 2042*8fb009dcSAndroid Build Coastguard Worker 2043*8fb009dcSAndroid Build Coastguard Worker // EXTENDED_KEY_USAGE is an |ASN1_ITEM| whose ASN.1 type is ExtKeyUsageSyntax 2044*8fb009dcSAndroid Build Coastguard Worker // (RFC 5280) and C type is |STACK_OF(ASN1_OBJECT)*|, or |EXTENDED_KEY_USAGE*|. 2045*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(EXTENDED_KEY_USAGE) 2046*8fb009dcSAndroid Build Coastguard Worker 2047*8fb009dcSAndroid Build Coastguard Worker // EXTENDED_KEY_USAGE_new returns a newly-allocated, empty |EXTENDED_KEY_USAGE| 2048*8fb009dcSAndroid Build Coastguard Worker // object, or NULL on error. 2049*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EXTENDED_KEY_USAGE *EXTENDED_KEY_USAGE_new(void); 2050*8fb009dcSAndroid Build Coastguard Worker 2051*8fb009dcSAndroid Build Coastguard Worker // EXTENDED_KEY_USAGE_free releases memory associated with |eku|. 2052*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *eku); 2053*8fb009dcSAndroid Build Coastguard Worker 2054*8fb009dcSAndroid Build Coastguard Worker // d2i_EXTENDED_KEY_USAGE parses up to |len| bytes from |*inp| as a DER-encoded 2055*8fb009dcSAndroid Build Coastguard Worker // ExtKeyUsageSyntax (RFC 5280), as described in |d2i_SAMPLE|. 2056*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EXTENDED_KEY_USAGE *d2i_EXTENDED_KEY_USAGE( 2057*8fb009dcSAndroid Build Coastguard Worker EXTENDED_KEY_USAGE **out, const uint8_t **inp, long len); 2058*8fb009dcSAndroid Build Coastguard Worker 2059*8fb009dcSAndroid Build Coastguard Worker // i2d_EXTENDED_KEY_USAGE marshals |eku| as a DER-encoded ExtKeyUsageSyntax (RFC 2060*8fb009dcSAndroid Build Coastguard Worker // 5280), as described in |i2d_SAMPLE|. 2061*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_EXTENDED_KEY_USAGE(const EXTENDED_KEY_USAGE *eku, 2062*8fb009dcSAndroid Build Coastguard Worker uint8_t **outp); 2063*8fb009dcSAndroid Build Coastguard Worker 2064*8fb009dcSAndroid Build Coastguard Worker 2065*8fb009dcSAndroid Build Coastguard Worker // General names. 2066*8fb009dcSAndroid Build Coastguard Worker // 2067*8fb009dcSAndroid Build Coastguard Worker // A |GENERAL_NAME| represents an X.509 GeneralName structure, defined in RFC 2068*8fb009dcSAndroid Build Coastguard Worker // 5280, Section 4.2.1.6. General names are distinct from names (|X509_NAME|). A 2069*8fb009dcSAndroid Build Coastguard Worker // general name is a CHOICE type which may contain one of several name types, 2070*8fb009dcSAndroid Build Coastguard Worker // most commonly a DNS name or an IP address. General names most commonly appear 2071*8fb009dcSAndroid Build Coastguard Worker // in the subject alternative name (SAN) extension, though they are also used in 2072*8fb009dcSAndroid Build Coastguard Worker // other extensions. 2073*8fb009dcSAndroid Build Coastguard Worker // 2074*8fb009dcSAndroid Build Coastguard Worker // Many extensions contain a SEQUENCE OF GeneralName, or GeneralNames, so 2075*8fb009dcSAndroid Build Coastguard Worker // |STACK_OF(GENERAL_NAME)| is defined and aliased to |GENERAL_NAMES|. 2076*8fb009dcSAndroid Build Coastguard Worker 2077*8fb009dcSAndroid Build Coastguard Worker typedef struct otherName_st { 2078*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *type_id; 2079*8fb009dcSAndroid Build Coastguard Worker ASN1_TYPE *value; 2080*8fb009dcSAndroid Build Coastguard Worker } OTHERNAME; 2081*8fb009dcSAndroid Build Coastguard Worker 2082*8fb009dcSAndroid Build Coastguard Worker typedef struct EDIPartyName_st { 2083*8fb009dcSAndroid Build Coastguard Worker ASN1_STRING *nameAssigner; 2084*8fb009dcSAndroid Build Coastguard Worker ASN1_STRING *partyName; 2085*8fb009dcSAndroid Build Coastguard Worker } EDIPARTYNAME; 2086*8fb009dcSAndroid Build Coastguard Worker 2087*8fb009dcSAndroid Build Coastguard Worker // GEN_* are constants for the |type| field of |GENERAL_NAME|, defined below. 2088*8fb009dcSAndroid Build Coastguard Worker #define GEN_OTHERNAME 0 2089*8fb009dcSAndroid Build Coastguard Worker #define GEN_EMAIL 1 2090*8fb009dcSAndroid Build Coastguard Worker #define GEN_DNS 2 2091*8fb009dcSAndroid Build Coastguard Worker #define GEN_X400 3 2092*8fb009dcSAndroid Build Coastguard Worker #define GEN_DIRNAME 4 2093*8fb009dcSAndroid Build Coastguard Worker #define GEN_EDIPARTY 5 2094*8fb009dcSAndroid Build Coastguard Worker #define GEN_URI 6 2095*8fb009dcSAndroid Build Coastguard Worker #define GEN_IPADD 7 2096*8fb009dcSAndroid Build Coastguard Worker #define GEN_RID 8 2097*8fb009dcSAndroid Build Coastguard Worker 2098*8fb009dcSAndroid Build Coastguard Worker // A GENERAL_NAME_st, aka |GENERAL_NAME|, represents an X.509 GeneralName. The 2099*8fb009dcSAndroid Build Coastguard Worker // |type| field determines which member of |d| is active. A |GENERAL_NAME| may 2100*8fb009dcSAndroid Build Coastguard Worker // also be empty, in which case |type| is -1 and |d| is NULL. Empty 2101*8fb009dcSAndroid Build Coastguard Worker // |GENERAL_NAME|s are invalid and will never be returned from the parser, but 2102*8fb009dcSAndroid Build Coastguard Worker // may be created temporarily, e.g. by |GENERAL_NAME_new|. 2103*8fb009dcSAndroid Build Coastguard Worker // 2104*8fb009dcSAndroid Build Coastguard Worker // WARNING: |type| and |d| must be kept consistent. An inconsistency will result 2105*8fb009dcSAndroid Build Coastguard Worker // in a potentially exploitable memory error. 2106*8fb009dcSAndroid Build Coastguard Worker struct GENERAL_NAME_st { 2107*8fb009dcSAndroid Build Coastguard Worker int type; 2108*8fb009dcSAndroid Build Coastguard Worker union { 2109*8fb009dcSAndroid Build Coastguard Worker char *ptr; 2110*8fb009dcSAndroid Build Coastguard Worker OTHERNAME *otherName; 2111*8fb009dcSAndroid Build Coastguard Worker ASN1_IA5STRING *rfc822Name; 2112*8fb009dcSAndroid Build Coastguard Worker ASN1_IA5STRING *dNSName; 2113*8fb009dcSAndroid Build Coastguard Worker ASN1_STRING *x400Address; 2114*8fb009dcSAndroid Build Coastguard Worker X509_NAME *directoryName; 2115*8fb009dcSAndroid Build Coastguard Worker EDIPARTYNAME *ediPartyName; 2116*8fb009dcSAndroid Build Coastguard Worker ASN1_IA5STRING *uniformResourceIdentifier; 2117*8fb009dcSAndroid Build Coastguard Worker ASN1_OCTET_STRING *iPAddress; 2118*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *registeredID; 2119*8fb009dcSAndroid Build Coastguard Worker 2120*8fb009dcSAndroid Build Coastguard Worker // Old names 2121*8fb009dcSAndroid Build Coastguard Worker ASN1_OCTET_STRING *ip; // iPAddress 2122*8fb009dcSAndroid Build Coastguard Worker X509_NAME *dirn; // dirn 2123*8fb009dcSAndroid Build Coastguard Worker ASN1_IA5STRING *ia5; // rfc822Name, dNSName, uniformResourceIdentifier 2124*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *rid; // registeredID 2125*8fb009dcSAndroid Build Coastguard Worker } d; 2126*8fb009dcSAndroid Build Coastguard Worker } /* GENERAL_NAME */; 2127*8fb009dcSAndroid Build Coastguard Worker 2128*8fb009dcSAndroid Build Coastguard Worker // GENERAL_NAME_new returns a new, empty |GENERAL_NAME|, or NULL on error. 2129*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_new(void); 2130*8fb009dcSAndroid Build Coastguard Worker 2131*8fb009dcSAndroid Build Coastguard Worker // GENERAL_NAME_free releases memory associated with |gen|. 2132*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void GENERAL_NAME_free(GENERAL_NAME *gen); 2133*8fb009dcSAndroid Build Coastguard Worker 2134*8fb009dcSAndroid Build Coastguard Worker // d2i_GENERAL_NAME parses up to |len| bytes from |*inp| as a DER-encoded X.509 2135*8fb009dcSAndroid Build Coastguard Worker // GeneralName (RFC 5280), as described in |d2i_SAMPLE|. 2136*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **out, 2137*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, long len); 2138*8fb009dcSAndroid Build Coastguard Worker 2139*8fb009dcSAndroid Build Coastguard Worker // i2d_GENERAL_NAME marshals |in| as a DER-encoded X.509 GeneralName (RFC 5280), 2140*8fb009dcSAndroid Build Coastguard Worker // as described in |i2d_SAMPLE|. 2141*8fb009dcSAndroid Build Coastguard Worker // 2142*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 2143*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |in| is an 2144*8fb009dcSAndroid Build Coastguard Worker // directoryName and the |X509_NAME| has been modified. 2145*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_GENERAL_NAME(GENERAL_NAME *in, uint8_t **outp); 2146*8fb009dcSAndroid Build Coastguard Worker 2147*8fb009dcSAndroid Build Coastguard Worker // GENERAL_NAME_dup returns a newly-allocated copy of |gen|, or NULL on error. 2148*8fb009dcSAndroid Build Coastguard Worker // This function works by serializing the structure, so it will fail if |gen| is 2149*8fb009dcSAndroid Build Coastguard Worker // empty. 2150*8fb009dcSAndroid Build Coastguard Worker // 2151*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 2152*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if |gen| is an 2153*8fb009dcSAndroid Build Coastguard Worker // directoryName and the |X509_NAME| has been modified. 2154*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *gen); 2155*8fb009dcSAndroid Build Coastguard Worker 2156*8fb009dcSAndroid Build Coastguard Worker // GENERAL_NAMES_new returns a new, empty |GENERAL_NAMES|, or NULL on error. 2157*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT GENERAL_NAMES *GENERAL_NAMES_new(void); 2158*8fb009dcSAndroid Build Coastguard Worker 2159*8fb009dcSAndroid Build Coastguard Worker // GENERAL_NAMES_free releases memory associated with |gens|. 2160*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void GENERAL_NAMES_free(GENERAL_NAMES *gens); 2161*8fb009dcSAndroid Build Coastguard Worker 2162*8fb009dcSAndroid Build Coastguard Worker // d2i_GENERAL_NAMES parses up to |len| bytes from |*inp| as a DER-encoded 2163*8fb009dcSAndroid Build Coastguard Worker // SEQUENCE OF GeneralName, as described in |d2i_SAMPLE|. 2164*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **out, 2165*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, long len); 2166*8fb009dcSAndroid Build Coastguard Worker 2167*8fb009dcSAndroid Build Coastguard Worker // i2d_GENERAL_NAMES marshals |in| as a DER-encoded SEQUENCE OF GeneralName, as 2168*8fb009dcSAndroid Build Coastguard Worker // described in |i2d_SAMPLE|. 2169*8fb009dcSAndroid Build Coastguard Worker // 2170*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This function should be const and 2171*8fb009dcSAndroid Build Coastguard Worker // thread-safe but is currently neither in some cases, notably if some element 2172*8fb009dcSAndroid Build Coastguard Worker // of |in| is an directoryName and the |X509_NAME| has been modified. 2173*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_GENERAL_NAMES(GENERAL_NAMES *in, uint8_t **outp); 2174*8fb009dcSAndroid Build Coastguard Worker 2175*8fb009dcSAndroid Build Coastguard Worker // OTHERNAME_new returns a new, empty |OTHERNAME|, or NULL on error. 2176*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT OTHERNAME *OTHERNAME_new(void); 2177*8fb009dcSAndroid Build Coastguard Worker 2178*8fb009dcSAndroid Build Coastguard Worker // OTHERNAME_free releases memory associated with |name|. 2179*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void OTHERNAME_free(OTHERNAME *name); 2180*8fb009dcSAndroid Build Coastguard Worker 2181*8fb009dcSAndroid Build Coastguard Worker // EDIPARTYNAME_new returns a new, empty |EDIPARTYNAME|, or NULL on error. 2182*8fb009dcSAndroid Build Coastguard Worker // EDIPartyName is rarely used in practice, so callers are unlikely to need this 2183*8fb009dcSAndroid Build Coastguard Worker // function. 2184*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EDIPARTYNAME *EDIPARTYNAME_new(void); 2185*8fb009dcSAndroid Build Coastguard Worker 2186*8fb009dcSAndroid Build Coastguard Worker // EDIPARTYNAME_free releases memory associated with |name|. EDIPartyName is 2187*8fb009dcSAndroid Build Coastguard Worker // rarely used in practice, so callers are unlikely to need this function. 2188*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void EDIPARTYNAME_free(EDIPARTYNAME *name); 2189*8fb009dcSAndroid Build Coastguard Worker 2190*8fb009dcSAndroid Build Coastguard Worker // GENERAL_NAME_set0_value set |gen|'s type and value to |type| and |value|. 2191*8fb009dcSAndroid Build Coastguard Worker // |type| must be a |GEN_*| constant and |value| must be an object of the 2192*8fb009dcSAndroid Build Coastguard Worker // corresponding type. |gen| takes ownership of |value|, so |value| must have 2193*8fb009dcSAndroid Build Coastguard Worker // been an allocated object. 2194*8fb009dcSAndroid Build Coastguard Worker // 2195*8fb009dcSAndroid Build Coastguard Worker // WARNING: |gen| must be empty (typically as returned from |GENERAL_NAME_new|) 2196*8fb009dcSAndroid Build Coastguard Worker // before calling this function. If |gen| already contained a value, the 2197*8fb009dcSAndroid Build Coastguard Worker // previous contents will be leaked. 2198*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void GENERAL_NAME_set0_value(GENERAL_NAME *gen, int type, 2199*8fb009dcSAndroid Build Coastguard Worker void *value); 2200*8fb009dcSAndroid Build Coastguard Worker 2201*8fb009dcSAndroid Build Coastguard Worker // GENERAL_NAME_get0_value returns the in-memory representation of |gen|'s 2202*8fb009dcSAndroid Build Coastguard Worker // contents and, |out_type| is not NULL, sets |*out_type| to the type of |gen|, 2203*8fb009dcSAndroid Build Coastguard Worker // which will be a |GEN_*| constant. If |gen| is incomplete, the return value 2204*8fb009dcSAndroid Build Coastguard Worker // will be NULL and the type will be -1. 2205*8fb009dcSAndroid Build Coastguard Worker // 2206*8fb009dcSAndroid Build Coastguard Worker // WARNING: Casting the result of this function to the wrong type is a 2207*8fb009dcSAndroid Build Coastguard Worker // potentially exploitable memory error. Callers must check |gen|'s type, either 2208*8fb009dcSAndroid Build Coastguard Worker // via |*out_type| or checking |gen->type| directly, before inspecting the 2209*8fb009dcSAndroid Build Coastguard Worker // result. 2210*8fb009dcSAndroid Build Coastguard Worker // 2211*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function is not const-correct. The return value should be 2212*8fb009dcSAndroid Build Coastguard Worker // const. Callers shoudl not mutate the returned object. 2213*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void *GENERAL_NAME_get0_value(const GENERAL_NAME *gen, 2214*8fb009dcSAndroid Build Coastguard Worker int *out_type); 2215*8fb009dcSAndroid Build Coastguard Worker 2216*8fb009dcSAndroid Build Coastguard Worker // GENERAL_NAME_set0_othername sets |gen| to be an OtherName with type |oid| and 2217*8fb009dcSAndroid Build Coastguard Worker // value |value|. On success, it returns one and takes ownership of |oid| and 2218*8fb009dcSAndroid Build Coastguard Worker // |value|, which must be created in a way compatible with |ASN1_OBJECT_free| 2219*8fb009dcSAndroid Build Coastguard Worker // and |ASN1_TYPE_free|, respectively. On allocation failure, it returns zero. 2220*8fb009dcSAndroid Build Coastguard Worker // In the failure case, the caller retains ownership of |oid| and |value| and 2221*8fb009dcSAndroid Build Coastguard Worker // must release them when done. 2222*8fb009dcSAndroid Build Coastguard Worker // 2223*8fb009dcSAndroid Build Coastguard Worker // WARNING: |gen| must be empty (typically as returned from |GENERAL_NAME_new|) 2224*8fb009dcSAndroid Build Coastguard Worker // before calling this function. If |gen| already contained a value, the 2225*8fb009dcSAndroid Build Coastguard Worker // previously contents will be leaked. 2226*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, 2227*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *oid, 2228*8fb009dcSAndroid Build Coastguard Worker ASN1_TYPE *value); 2229*8fb009dcSAndroid Build Coastguard Worker 2230*8fb009dcSAndroid Build Coastguard Worker // GENERAL_NAME_get0_otherName, if |gen| is an OtherName, sets |*out_oid| and 2231*8fb009dcSAndroid Build Coastguard Worker // |*out_value| to the OtherName's type-id and value, respectively, and returns 2232*8fb009dcSAndroid Build Coastguard Worker // one. If |gen| is not an OtherName, it returns zero and leaves |*out_oid| and 2233*8fb009dcSAndroid Build Coastguard Worker // |*out_value| unmodified. Either of |out_oid| or |out_value| may be NULL to 2234*8fb009dcSAndroid Build Coastguard Worker // ignore the value. 2235*8fb009dcSAndroid Build Coastguard Worker // 2236*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function is not const-correct. |out_oid| and |out_value| are 2237*8fb009dcSAndroid Build Coastguard Worker // not const, but callers should not mutate the resulting objects. 2238*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, 2239*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT **out_oid, 2240*8fb009dcSAndroid Build Coastguard Worker ASN1_TYPE **out_value); 2241*8fb009dcSAndroid Build Coastguard Worker 2242*8fb009dcSAndroid Build Coastguard Worker 2243*8fb009dcSAndroid Build Coastguard Worker // Authority key identifier. 2244*8fb009dcSAndroid Build Coastguard Worker // 2245*8fb009dcSAndroid Build Coastguard Worker // The authority key identifier extension (RFC 5280, section 4.2.1.1) allows a 2246*8fb009dcSAndroid Build Coastguard Worker // certificate to more precisely identify its issuer. This is helpful when 2247*8fb009dcSAndroid Build Coastguard Worker // multiple certificates share a name. Only the keyIdentifier (|keyid| in 2248*8fb009dcSAndroid Build Coastguard Worker // |AUTHORITY_KEYID|) field is used in practice. 2249*8fb009dcSAndroid Build Coastguard Worker 2250*8fb009dcSAndroid Build Coastguard Worker // A AUTHORITY_KEYID_st, aka |AUTHORITY_KEYID|, represents an 2251*8fb009dcSAndroid Build Coastguard Worker // AuthorityKeyIdentifier structure (RFC 5280). 2252*8fb009dcSAndroid Build Coastguard Worker struct AUTHORITY_KEYID_st { 2253*8fb009dcSAndroid Build Coastguard Worker ASN1_OCTET_STRING *keyid; 2254*8fb009dcSAndroid Build Coastguard Worker GENERAL_NAMES *issuer; 2255*8fb009dcSAndroid Build Coastguard Worker ASN1_INTEGER *serial; 2256*8fb009dcSAndroid Build Coastguard Worker } /* AUTHORITY_KEYID */; 2257*8fb009dcSAndroid Build Coastguard Worker 2258*8fb009dcSAndroid Build Coastguard Worker // AUTHORITY_KEYID is an |ASN1_ITEM| whose ASN.1 type is AuthorityKeyIdentifier 2259*8fb009dcSAndroid Build Coastguard Worker // (RFC 5280) and C type is |AUTHORITY_KEYID*|. 2260*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(AUTHORITY_KEYID) 2261*8fb009dcSAndroid Build Coastguard Worker 2262*8fb009dcSAndroid Build Coastguard Worker // AUTHORITY_KEYID_new returns a newly-allocated, empty |AUTHORITY_KEYID| 2263*8fb009dcSAndroid Build Coastguard Worker // object, or NULL on error. 2264*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT AUTHORITY_KEYID *AUTHORITY_KEYID_new(void); 2265*8fb009dcSAndroid Build Coastguard Worker 2266*8fb009dcSAndroid Build Coastguard Worker // AUTHORITY_KEYID_free releases memory associated with |akid|. 2267*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void AUTHORITY_KEYID_free(AUTHORITY_KEYID *akid); 2268*8fb009dcSAndroid Build Coastguard Worker 2269*8fb009dcSAndroid Build Coastguard Worker // d2i_AUTHORITY_KEYID parses up to |len| bytes from |*inp| as a DER-encoded 2270*8fb009dcSAndroid Build Coastguard Worker // AuthorityKeyIdentifier (RFC 5280), as described in |d2i_SAMPLE|. 2271*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **out, 2272*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, 2273*8fb009dcSAndroid Build Coastguard Worker long len); 2274*8fb009dcSAndroid Build Coastguard Worker 2275*8fb009dcSAndroid Build Coastguard Worker // i2d_AUTHORITY_KEYID marshals |akid| as a DER-encoded AuthorityKeyIdentifier 2276*8fb009dcSAndroid Build Coastguard Worker // (RFC 5280), as described in |i2d_SAMPLE|. 2277*8fb009dcSAndroid Build Coastguard Worker // 2278*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): |akid| is not const because it 2279*8fb009dcSAndroid Build Coastguard Worker // contains an |X509_NAME|. 2280*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *akid, uint8_t **outp); 2281*8fb009dcSAndroid Build Coastguard Worker 2282*8fb009dcSAndroid Build Coastguard Worker 2283*8fb009dcSAndroid Build Coastguard Worker // Name constraints. 2284*8fb009dcSAndroid Build Coastguard Worker // 2285*8fb009dcSAndroid Build Coastguard Worker // The name constraints extension (RFC 5280, section 4.2.1.10) constrains which 2286*8fb009dcSAndroid Build Coastguard Worker // names may be asserted by certificates issued by some CA. For example, a 2287*8fb009dcSAndroid Build Coastguard Worker // general CA may issue an intermediate certificate to the owner of example.com, 2288*8fb009dcSAndroid Build Coastguard Worker // but constrained to ".example.com". 2289*8fb009dcSAndroid Build Coastguard Worker 2290*8fb009dcSAndroid Build Coastguard Worker // A GENERAL_SUBTREE represents a GeneralSubtree structure (RFC 5280). 2291*8fb009dcSAndroid Build Coastguard Worker typedef struct GENERAL_SUBTREE_st { 2292*8fb009dcSAndroid Build Coastguard Worker GENERAL_NAME *base; 2293*8fb009dcSAndroid Build Coastguard Worker ASN1_INTEGER *minimum; 2294*8fb009dcSAndroid Build Coastguard Worker ASN1_INTEGER *maximum; 2295*8fb009dcSAndroid Build Coastguard Worker } GENERAL_SUBTREE; 2296*8fb009dcSAndroid Build Coastguard Worker 2297*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(GENERAL_SUBTREE) 2298*8fb009dcSAndroid Build Coastguard Worker 2299*8fb009dcSAndroid Build Coastguard Worker // GENERAL_SUBTREE_new returns a newly-allocated, empty |GENERAL_SUBTREE| 2300*8fb009dcSAndroid Build Coastguard Worker // object, or NULL on error. 2301*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT GENERAL_SUBTREE *GENERAL_SUBTREE_new(void); 2302*8fb009dcSAndroid Build Coastguard Worker 2303*8fb009dcSAndroid Build Coastguard Worker // GENERAL_SUBTREE_free releases memory associated with |subtree|. 2304*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void GENERAL_SUBTREE_free(GENERAL_SUBTREE *subtree); 2305*8fb009dcSAndroid Build Coastguard Worker 2306*8fb009dcSAndroid Build Coastguard Worker // A NAME_CONSTRAINTS_st, aka |NAME_CONSTRAINTS|, represents a NameConstraints 2307*8fb009dcSAndroid Build Coastguard Worker // structure (RFC 5280). 2308*8fb009dcSAndroid Build Coastguard Worker struct NAME_CONSTRAINTS_st { 2309*8fb009dcSAndroid Build Coastguard Worker STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; 2310*8fb009dcSAndroid Build Coastguard Worker STACK_OF(GENERAL_SUBTREE) *excludedSubtrees; 2311*8fb009dcSAndroid Build Coastguard Worker } /* NAME_CONSTRAINTS */; 2312*8fb009dcSAndroid Build Coastguard Worker 2313*8fb009dcSAndroid Build Coastguard Worker // NAME_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is NameConstraints (RFC 2314*8fb009dcSAndroid Build Coastguard Worker // 5280) and C type is |NAME_CONSTRAINTS*|. 2315*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(NAME_CONSTRAINTS) 2316*8fb009dcSAndroid Build Coastguard Worker 2317*8fb009dcSAndroid Build Coastguard Worker // NAME_CONSTRAINTS_new returns a newly-allocated, empty |NAME_CONSTRAINTS| 2318*8fb009dcSAndroid Build Coastguard Worker // object, or NULL on error. 2319*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT NAME_CONSTRAINTS *NAME_CONSTRAINTS_new(void); 2320*8fb009dcSAndroid Build Coastguard Worker 2321*8fb009dcSAndroid Build Coastguard Worker // NAME_CONSTRAINTS_free releases memory associated with |ncons|. 2322*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *ncons); 2323*8fb009dcSAndroid Build Coastguard Worker 2324*8fb009dcSAndroid Build Coastguard Worker 2325*8fb009dcSAndroid Build Coastguard Worker // Authority information access. 2326*8fb009dcSAndroid Build Coastguard Worker // 2327*8fb009dcSAndroid Build Coastguard Worker // The authority information access extension (RFC 5280, 4.2.2.1) describes 2328*8fb009dcSAndroid Build Coastguard Worker // where to obtain information about the issuer of a certificate. It is most 2329*8fb009dcSAndroid Build Coastguard Worker // commonly used with accessMethod values of id-ad-caIssuers and id-ad-ocsp, to 2330*8fb009dcSAndroid Build Coastguard Worker // indicate where to fetch the issuer certificate (if not provided in-band) and 2331*8fb009dcSAndroid Build Coastguard Worker // the issuer's OCSP responder, respectively. 2332*8fb009dcSAndroid Build Coastguard Worker 2333*8fb009dcSAndroid Build Coastguard Worker // An ACCESS_DESCRIPTION represents an AccessDescription structure (RFC 5280). 2334*8fb009dcSAndroid Build Coastguard Worker typedef struct ACCESS_DESCRIPTION_st { 2335*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *method; 2336*8fb009dcSAndroid Build Coastguard Worker GENERAL_NAME *location; 2337*8fb009dcSAndroid Build Coastguard Worker } ACCESS_DESCRIPTION; 2338*8fb009dcSAndroid Build Coastguard Worker 2339*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(ACCESS_DESCRIPTION) 2340*8fb009dcSAndroid Build Coastguard Worker 2341*8fb009dcSAndroid Build Coastguard Worker // ACCESS_DESCRIPTION_new returns a newly-allocated, empty |ACCESS_DESCRIPTION| 2342*8fb009dcSAndroid Build Coastguard Worker // object, or NULL on error. 2343*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void); 2344*8fb009dcSAndroid Build Coastguard Worker 2345*8fb009dcSAndroid Build Coastguard Worker // ACCESS_DESCRIPTION_free releases memory associated with |desc|. 2346*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *desc); 2347*8fb009dcSAndroid Build Coastguard Worker 2348*8fb009dcSAndroid Build Coastguard Worker typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; 2349*8fb009dcSAndroid Build Coastguard Worker 2350*8fb009dcSAndroid Build Coastguard Worker // AUTHORITY_INFO_ACCESS is an |ASN1_ITEM| whose ASN.1 type is 2351*8fb009dcSAndroid Build Coastguard Worker // AuthorityInfoAccessSyntax (RFC 5280) and C type is 2352*8fb009dcSAndroid Build Coastguard Worker // |STACK_OF(ACCESS_DESCRIPTION)*|, or |AUTHORITY_INFO_ACCESS*|. 2353*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(AUTHORITY_INFO_ACCESS) 2354*8fb009dcSAndroid Build Coastguard Worker 2355*8fb009dcSAndroid Build Coastguard Worker // AUTHORITY_INFO_ACCESS_new returns a newly-allocated, empty 2356*8fb009dcSAndroid Build Coastguard Worker // |AUTHORITY_INFO_ACCESS| object, or NULL on error. 2357*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT AUTHORITY_INFO_ACCESS *AUTHORITY_INFO_ACCESS_new(void); 2358*8fb009dcSAndroid Build Coastguard Worker 2359*8fb009dcSAndroid Build Coastguard Worker // AUTHORITY_INFO_ACCESS_free releases memory associated with |aia|. 2360*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *aia); 2361*8fb009dcSAndroid Build Coastguard Worker 2362*8fb009dcSAndroid Build Coastguard Worker // d2i_AUTHORITY_INFO_ACCESS parses up to |len| bytes from |*inp| as a 2363*8fb009dcSAndroid Build Coastguard Worker // DER-encoded AuthorityInfoAccessSyntax (RFC 5280), as described in 2364*8fb009dcSAndroid Build Coastguard Worker // |d2i_SAMPLE|. 2365*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT AUTHORITY_INFO_ACCESS *d2i_AUTHORITY_INFO_ACCESS( 2366*8fb009dcSAndroid Build Coastguard Worker AUTHORITY_INFO_ACCESS **out, const uint8_t **inp, long len); 2367*8fb009dcSAndroid Build Coastguard Worker 2368*8fb009dcSAndroid Build Coastguard Worker // i2d_AUTHORITY_INFO_ACCESS marshals |aia| as a DER-encoded 2369*8fb009dcSAndroid Build Coastguard Worker // AuthorityInfoAccessSyntax (RFC 5280), as described in |i2d_SAMPLE|. 2370*8fb009dcSAndroid Build Coastguard Worker // 2371*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): |aia| is not const because it 2372*8fb009dcSAndroid Build Coastguard Worker // contains an |X509_NAME|. 2373*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *aia, 2374*8fb009dcSAndroid Build Coastguard Worker uint8_t **outp); 2375*8fb009dcSAndroid Build Coastguard Worker 2376*8fb009dcSAndroid Build Coastguard Worker 2377*8fb009dcSAndroid Build Coastguard Worker // CRL distribution points. 2378*8fb009dcSAndroid Build Coastguard Worker // 2379*8fb009dcSAndroid Build Coastguard Worker // The CRL distribution points extension (RFC 5280, 4.2.1.13) indicates where to 2380*8fb009dcSAndroid Build Coastguard Worker // fetch a certificate issuer's CRL. The corresponding issuing distribution 2381*8fb009dcSAndroid Build Coastguard Worker // point CRL extension (RFC 5280, section 5.2.5) matches against this extension. 2382*8fb009dcSAndroid Build Coastguard Worker 2383*8fb009dcSAndroid Build Coastguard Worker // A DIST_POINT_NAME represents a DistributionPointName structure (RFC 5280). 2384*8fb009dcSAndroid Build Coastguard Worker // The |name| field contains the CHOICE value and is determined by |type|. If 2385*8fb009dcSAndroid Build Coastguard Worker // |type| is zero, |name| must be a |fullname|. If |type| is one, |name| must be 2386*8fb009dcSAndroid Build Coastguard Worker // a |relativename|. 2387*8fb009dcSAndroid Build Coastguard Worker // 2388*8fb009dcSAndroid Build Coastguard Worker // WARNING: |type| and |name| must be kept consistent. An inconsistency will 2389*8fb009dcSAndroid Build Coastguard Worker // result in a potentially exploitable memory error. 2390*8fb009dcSAndroid Build Coastguard Worker typedef struct DIST_POINT_NAME_st { 2391*8fb009dcSAndroid Build Coastguard Worker int type; 2392*8fb009dcSAndroid Build Coastguard Worker union { 2393*8fb009dcSAndroid Build Coastguard Worker GENERAL_NAMES *fullname; 2394*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509_NAME_ENTRY) *relativename; 2395*8fb009dcSAndroid Build Coastguard Worker } name; 2396*8fb009dcSAndroid Build Coastguard Worker // If relativename then this contains the full distribution point name 2397*8fb009dcSAndroid Build Coastguard Worker X509_NAME *dpname; 2398*8fb009dcSAndroid Build Coastguard Worker } DIST_POINT_NAME; 2399*8fb009dcSAndroid Build Coastguard Worker 2400*8fb009dcSAndroid Build Coastguard Worker // DIST_POINT_NAME_new returns a newly-allocated, empty |DIST_POINT_NAME| 2401*8fb009dcSAndroid Build Coastguard Worker // object, or NULL on error. 2402*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT DIST_POINT_NAME *DIST_POINT_NAME_new(void); 2403*8fb009dcSAndroid Build Coastguard Worker 2404*8fb009dcSAndroid Build Coastguard Worker // DIST_POINT_NAME_free releases memory associated with |name|. 2405*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void DIST_POINT_NAME_free(DIST_POINT_NAME *name); 2406*8fb009dcSAndroid Build Coastguard Worker 2407*8fb009dcSAndroid Build Coastguard Worker // A DIST_POINT_st, aka |DIST_POINT|, represents a DistributionPoint structure 2408*8fb009dcSAndroid Build Coastguard Worker // (RFC 5280). 2409*8fb009dcSAndroid Build Coastguard Worker struct DIST_POINT_st { 2410*8fb009dcSAndroid Build Coastguard Worker DIST_POINT_NAME *distpoint; 2411*8fb009dcSAndroid Build Coastguard Worker ASN1_BIT_STRING *reasons; 2412*8fb009dcSAndroid Build Coastguard Worker GENERAL_NAMES *CRLissuer; 2413*8fb009dcSAndroid Build Coastguard Worker } /* DIST_POINT */; 2414*8fb009dcSAndroid Build Coastguard Worker 2415*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(DIST_POINT) 2416*8fb009dcSAndroid Build Coastguard Worker 2417*8fb009dcSAndroid Build Coastguard Worker // DIST_POINT_new returns a newly-allocated, empty |DIST_POINT| object, or NULL 2418*8fb009dcSAndroid Build Coastguard Worker // on error. 2419*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT DIST_POINT *DIST_POINT_new(void); 2420*8fb009dcSAndroid Build Coastguard Worker 2421*8fb009dcSAndroid Build Coastguard Worker // DIST_POINT_free releases memory associated with |dp|. 2422*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void DIST_POINT_free(DIST_POINT *dp); 2423*8fb009dcSAndroid Build Coastguard Worker 2424*8fb009dcSAndroid Build Coastguard Worker typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; 2425*8fb009dcSAndroid Build Coastguard Worker 2426*8fb009dcSAndroid Build Coastguard Worker // CRL_DIST_POINTS is an |ASN1_ITEM| whose ASN.1 type is CRLDistributionPoints 2427*8fb009dcSAndroid Build Coastguard Worker // (RFC 5280) and C type is |CRL_DIST_POINTS*|. 2428*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(CRL_DIST_POINTS) 2429*8fb009dcSAndroid Build Coastguard Worker 2430*8fb009dcSAndroid Build Coastguard Worker // CRL_DIST_POINTS_new returns a newly-allocated, empty |CRL_DIST_POINTS| 2431*8fb009dcSAndroid Build Coastguard Worker // object, or NULL on error. 2432*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT CRL_DIST_POINTS *CRL_DIST_POINTS_new(void); 2433*8fb009dcSAndroid Build Coastguard Worker 2434*8fb009dcSAndroid Build Coastguard Worker // CRL_DIST_POINTS_free releases memory associated with |crldp|. 2435*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void CRL_DIST_POINTS_free(CRL_DIST_POINTS *crldp); 2436*8fb009dcSAndroid Build Coastguard Worker 2437*8fb009dcSAndroid Build Coastguard Worker // d2i_CRL_DIST_POINTS parses up to |len| bytes from |*inp| as a DER-encoded 2438*8fb009dcSAndroid Build Coastguard Worker // CRLDistributionPoints (RFC 5280), as described in |d2i_SAMPLE|. 2439*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT CRL_DIST_POINTS *d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **out, 2440*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, 2441*8fb009dcSAndroid Build Coastguard Worker long len); 2442*8fb009dcSAndroid Build Coastguard Worker 2443*8fb009dcSAndroid Build Coastguard Worker // i2d_CRL_DIST_POINTS marshals |crldp| as a DER-encoded CRLDistributionPoints 2444*8fb009dcSAndroid Build Coastguard Worker // (RFC 5280), as described in |i2d_SAMPLE|. 2445*8fb009dcSAndroid Build Coastguard Worker // 2446*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): |crldp| is not const because it 2447*8fb009dcSAndroid Build Coastguard Worker // contains an |X509_NAME|. 2448*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *crldp, uint8_t **outp); 2449*8fb009dcSAndroid Build Coastguard Worker 2450*8fb009dcSAndroid Build Coastguard Worker // A ISSUING_DIST_POINT_st, aka |ISSUING_DIST_POINT|, represents a 2451*8fb009dcSAndroid Build Coastguard Worker // IssuingDistributionPoint structure (RFC 5280). 2452*8fb009dcSAndroid Build Coastguard Worker struct ISSUING_DIST_POINT_st { 2453*8fb009dcSAndroid Build Coastguard Worker DIST_POINT_NAME *distpoint; 2454*8fb009dcSAndroid Build Coastguard Worker ASN1_BOOLEAN onlyuser; 2455*8fb009dcSAndroid Build Coastguard Worker ASN1_BOOLEAN onlyCA; 2456*8fb009dcSAndroid Build Coastguard Worker ASN1_BIT_STRING *onlysomereasons; 2457*8fb009dcSAndroid Build Coastguard Worker ASN1_BOOLEAN indirectCRL; 2458*8fb009dcSAndroid Build Coastguard Worker ASN1_BOOLEAN onlyattr; 2459*8fb009dcSAndroid Build Coastguard Worker } /* ISSUING_DIST_POINT */; 2460*8fb009dcSAndroid Build Coastguard Worker 2461*8fb009dcSAndroid Build Coastguard Worker // ISSUING_DIST_POINT is an |ASN1_ITEM| whose ASN.1 type is 2462*8fb009dcSAndroid Build Coastguard Worker // IssuingDistributionPoint (RFC 5280) and C type is |ISSUING_DIST_POINT*|. 2463*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(ISSUING_DIST_POINT) 2464*8fb009dcSAndroid Build Coastguard Worker 2465*8fb009dcSAndroid Build Coastguard Worker // ISSUING_DIST_POINT_new returns a newly-allocated, empty |ISSUING_DIST_POINT| 2466*8fb009dcSAndroid Build Coastguard Worker // object, or NULL on error. 2467*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ISSUING_DIST_POINT *ISSUING_DIST_POINT_new(void); 2468*8fb009dcSAndroid Build Coastguard Worker 2469*8fb009dcSAndroid Build Coastguard Worker // ISSUING_DIST_POINT_free releases memory associated with |idp|. 2470*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *idp); 2471*8fb009dcSAndroid Build Coastguard Worker 2472*8fb009dcSAndroid Build Coastguard Worker // d2i_ISSUING_DIST_POINT parses up to |len| bytes from |*inp| as a DER-encoded 2473*8fb009dcSAndroid Build Coastguard Worker // IssuingDistributionPoint (RFC 5280), as described in |d2i_SAMPLE|. 2474*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ISSUING_DIST_POINT *d2i_ISSUING_DIST_POINT( 2475*8fb009dcSAndroid Build Coastguard Worker ISSUING_DIST_POINT **out, const uint8_t **inp, long len); 2476*8fb009dcSAndroid Build Coastguard Worker 2477*8fb009dcSAndroid Build Coastguard Worker // i2d_ISSUING_DIST_POINT marshals |idp| as a DER-encoded 2478*8fb009dcSAndroid Build Coastguard Worker // IssuingDistributionPoint (RFC 5280), as described in |i2d_SAMPLE|. 2479*8fb009dcSAndroid Build Coastguard Worker // 2480*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): |idp| is not const because it 2481*8fb009dcSAndroid Build Coastguard Worker // contains an |X509_NAME|. 2482*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *idp, 2483*8fb009dcSAndroid Build Coastguard Worker uint8_t **outp); 2484*8fb009dcSAndroid Build Coastguard Worker 2485*8fb009dcSAndroid Build Coastguard Worker 2486*8fb009dcSAndroid Build Coastguard Worker // Certificate policies. 2487*8fb009dcSAndroid Build Coastguard Worker // 2488*8fb009dcSAndroid Build Coastguard Worker // The certificate policies extension (RFC 5280, section 4.2.1.4), along with a 2489*8fb009dcSAndroid Build Coastguard Worker // suite of related extensions determines the "policies" that apply to a 2490*8fb009dcSAndroid Build Coastguard Worker // certificate path. Evaluating these policies is extremely complex and has led 2491*8fb009dcSAndroid Build Coastguard Worker // to denial-of-service vulnerabilities in several X.509 implementations. See 2492*8fb009dcSAndroid Build Coastguard Worker // draft-ietf-lamps-x509-policy-graph. 2493*8fb009dcSAndroid Build Coastguard Worker // 2494*8fb009dcSAndroid Build Coastguard Worker // Do not use this mechanism. 2495*8fb009dcSAndroid Build Coastguard Worker 2496*8fb009dcSAndroid Build Coastguard Worker // A NOTICEREF represents a NoticeReference structure (RFC 5280). 2497*8fb009dcSAndroid Build Coastguard Worker typedef struct NOTICEREF_st { 2498*8fb009dcSAndroid Build Coastguard Worker ASN1_STRING *organization; 2499*8fb009dcSAndroid Build Coastguard Worker STACK_OF(ASN1_INTEGER) *noticenos; 2500*8fb009dcSAndroid Build Coastguard Worker } NOTICEREF; 2501*8fb009dcSAndroid Build Coastguard Worker 2502*8fb009dcSAndroid Build Coastguard Worker // NOTICEREF_new returns a newly-allocated, empty |NOTICEREF| object, or NULL 2503*8fb009dcSAndroid Build Coastguard Worker // on error. 2504*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT NOTICEREF *NOTICEREF_new(void); 2505*8fb009dcSAndroid Build Coastguard Worker 2506*8fb009dcSAndroid Build Coastguard Worker // NOTICEREF_free releases memory associated with |ref|. 2507*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void NOTICEREF_free(NOTICEREF *ref); 2508*8fb009dcSAndroid Build Coastguard Worker 2509*8fb009dcSAndroid Build Coastguard Worker // A USERNOTICE represents a UserNotice structure (RFC 5280). 2510*8fb009dcSAndroid Build Coastguard Worker typedef struct USERNOTICE_st { 2511*8fb009dcSAndroid Build Coastguard Worker NOTICEREF *noticeref; 2512*8fb009dcSAndroid Build Coastguard Worker ASN1_STRING *exptext; 2513*8fb009dcSAndroid Build Coastguard Worker } USERNOTICE; 2514*8fb009dcSAndroid Build Coastguard Worker 2515*8fb009dcSAndroid Build Coastguard Worker // USERNOTICE_new returns a newly-allocated, empty |USERNOTICE| object, or NULL 2516*8fb009dcSAndroid Build Coastguard Worker // on error. 2517*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT USERNOTICE *USERNOTICE_new(void); 2518*8fb009dcSAndroid Build Coastguard Worker 2519*8fb009dcSAndroid Build Coastguard Worker // USERNOTICE_free releases memory associated with |notice|. 2520*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void USERNOTICE_free(USERNOTICE *notice); 2521*8fb009dcSAndroid Build Coastguard Worker 2522*8fb009dcSAndroid Build Coastguard Worker // A POLICYQUALINFO represents a PolicyQualifierInfo structure (RFC 5280). |d| 2523*8fb009dcSAndroid Build Coastguard Worker // contains the qualifier field of the PolicyQualifierInfo. Its type is 2524*8fb009dcSAndroid Build Coastguard Worker // determined by |pqualid|. If |pqualid| is |NID_id_qt_cps|, |d| must be 2525*8fb009dcSAndroid Build Coastguard Worker // |cpsuri|. If |pqualid| is |NID_id_qt_unotice|, |d| must be |usernotice|. 2526*8fb009dcSAndroid Build Coastguard Worker // Otherwise, |d| must be |other|. 2527*8fb009dcSAndroid Build Coastguard Worker // 2528*8fb009dcSAndroid Build Coastguard Worker // WARNING: |pqualid| and |d| must be kept consistent. An inconsistency will 2529*8fb009dcSAndroid Build Coastguard Worker // result in a potentially exploitable memory error. 2530*8fb009dcSAndroid Build Coastguard Worker typedef struct POLICYQUALINFO_st { 2531*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *pqualid; 2532*8fb009dcSAndroid Build Coastguard Worker union { 2533*8fb009dcSAndroid Build Coastguard Worker ASN1_IA5STRING *cpsuri; 2534*8fb009dcSAndroid Build Coastguard Worker USERNOTICE *usernotice; 2535*8fb009dcSAndroid Build Coastguard Worker ASN1_TYPE *other; 2536*8fb009dcSAndroid Build Coastguard Worker } d; 2537*8fb009dcSAndroid Build Coastguard Worker } POLICYQUALINFO; 2538*8fb009dcSAndroid Build Coastguard Worker 2539*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(POLICYQUALINFO) 2540*8fb009dcSAndroid Build Coastguard Worker 2541*8fb009dcSAndroid Build Coastguard Worker // POLICYQUALINFO_new returns a newly-allocated, empty |POLICYQUALINFO| object, 2542*8fb009dcSAndroid Build Coastguard Worker // or NULL on error. 2543*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT POLICYQUALINFO *POLICYQUALINFO_new(void); 2544*8fb009dcSAndroid Build Coastguard Worker 2545*8fb009dcSAndroid Build Coastguard Worker // POLICYQUALINFO_free releases memory associated with |info|. 2546*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void POLICYQUALINFO_free(POLICYQUALINFO *info); 2547*8fb009dcSAndroid Build Coastguard Worker 2548*8fb009dcSAndroid Build Coastguard Worker // A POLICYINFO represents a PolicyInformation structure (RFC 5280). 2549*8fb009dcSAndroid Build Coastguard Worker typedef struct POLICYINFO_st { 2550*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *policyid; 2551*8fb009dcSAndroid Build Coastguard Worker STACK_OF(POLICYQUALINFO) *qualifiers; 2552*8fb009dcSAndroid Build Coastguard Worker } POLICYINFO; 2553*8fb009dcSAndroid Build Coastguard Worker 2554*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(POLICYINFO) 2555*8fb009dcSAndroid Build Coastguard Worker 2556*8fb009dcSAndroid Build Coastguard Worker // POLICYINFO_new returns a newly-allocated, empty |POLICYINFO| object, or NULL 2557*8fb009dcSAndroid Build Coastguard Worker // on error. 2558*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT POLICYINFO *POLICYINFO_new(void); 2559*8fb009dcSAndroid Build Coastguard Worker 2560*8fb009dcSAndroid Build Coastguard Worker // POLICYINFO_free releases memory associated with |info|. 2561*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void POLICYINFO_free(POLICYINFO *info); 2562*8fb009dcSAndroid Build Coastguard Worker 2563*8fb009dcSAndroid Build Coastguard Worker typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; 2564*8fb009dcSAndroid Build Coastguard Worker 2565*8fb009dcSAndroid Build Coastguard Worker // CERTIFICATEPOLICIES is an |ASN1_ITEM| whose ASN.1 type is CertificatePolicies 2566*8fb009dcSAndroid Build Coastguard Worker // (RFC 5280) and C type is |STACK_OF(POLICYINFO)*|, or |CERTIFICATEPOLICIES*|. 2567*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(CERTIFICATEPOLICIES) 2568*8fb009dcSAndroid Build Coastguard Worker 2569*8fb009dcSAndroid Build Coastguard Worker // CERTIFICATEPOLICIES_new returns a newly-allocated, empty 2570*8fb009dcSAndroid Build Coastguard Worker // |CERTIFICATEPOLICIES| object, or NULL on error. 2571*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT CERTIFICATEPOLICIES *CERTIFICATEPOLICIES_new(void); 2572*8fb009dcSAndroid Build Coastguard Worker 2573*8fb009dcSAndroid Build Coastguard Worker // CERTIFICATEPOLICIES_free releases memory associated with |policies|. 2574*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *policies); 2575*8fb009dcSAndroid Build Coastguard Worker 2576*8fb009dcSAndroid Build Coastguard Worker // d2i_CERTIFICATEPOLICIES parses up to |len| bytes from |*inp| as a DER-encoded 2577*8fb009dcSAndroid Build Coastguard Worker // CertificatePolicies (RFC 5280), as described in |d2i_SAMPLE|. 2578*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT CERTIFICATEPOLICIES *d2i_CERTIFICATEPOLICIES( 2579*8fb009dcSAndroid Build Coastguard Worker CERTIFICATEPOLICIES **out, const uint8_t **inp, long len); 2580*8fb009dcSAndroid Build Coastguard Worker 2581*8fb009dcSAndroid Build Coastguard Worker // i2d_CERTIFICATEPOLICIES marshals |policies| as a DER-encoded 2582*8fb009dcSAndroid Build Coastguard Worker // CertificatePolicies (RFC 5280), as described in |i2d_SAMPLE|. 2583*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_CERTIFICATEPOLICIES(const CERTIFICATEPOLICIES *policies, 2584*8fb009dcSAndroid Build Coastguard Worker uint8_t **outp); 2585*8fb009dcSAndroid Build Coastguard Worker 2586*8fb009dcSAndroid Build Coastguard Worker // A POLICY_MAPPING represents an individual element of a PolicyMappings 2587*8fb009dcSAndroid Build Coastguard Worker // structure (RFC 5280). 2588*8fb009dcSAndroid Build Coastguard Worker typedef struct POLICY_MAPPING_st { 2589*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *issuerDomainPolicy; 2590*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *subjectDomainPolicy; 2591*8fb009dcSAndroid Build Coastguard Worker } POLICY_MAPPING; 2592*8fb009dcSAndroid Build Coastguard Worker 2593*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(POLICY_MAPPING) 2594*8fb009dcSAndroid Build Coastguard Worker 2595*8fb009dcSAndroid Build Coastguard Worker // POLICY_MAPPING_new returns a newly-allocated, empty |POLICY_MAPPING| object, 2596*8fb009dcSAndroid Build Coastguard Worker // or NULL on error. 2597*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT POLICY_MAPPING *POLICY_MAPPING_new(void); 2598*8fb009dcSAndroid Build Coastguard Worker 2599*8fb009dcSAndroid Build Coastguard Worker // POLICY_MAPPING_free releases memory associated with |mapping|. 2600*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void POLICY_MAPPING_free(POLICY_MAPPING *mapping); 2601*8fb009dcSAndroid Build Coastguard Worker 2602*8fb009dcSAndroid Build Coastguard Worker typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS; 2603*8fb009dcSAndroid Build Coastguard Worker 2604*8fb009dcSAndroid Build Coastguard Worker // POLICY_MAPPINGS is an |ASN1_ITEM| whose ASN.1 type is PolicyMappings (RFC 2605*8fb009dcSAndroid Build Coastguard Worker // 5280) and C type is |STACK_OF(POLICY_MAPPING)*|, or |POLICY_MAPPINGS*|. 2606*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(POLICY_MAPPINGS) 2607*8fb009dcSAndroid Build Coastguard Worker 2608*8fb009dcSAndroid Build Coastguard Worker // A POLICY_CONSTRAINTS represents a PolicyConstraints structure (RFC 5280). 2609*8fb009dcSAndroid Build Coastguard Worker typedef struct POLICY_CONSTRAINTS_st { 2610*8fb009dcSAndroid Build Coastguard Worker ASN1_INTEGER *requireExplicitPolicy; 2611*8fb009dcSAndroid Build Coastguard Worker ASN1_INTEGER *inhibitPolicyMapping; 2612*8fb009dcSAndroid Build Coastguard Worker } POLICY_CONSTRAINTS; 2613*8fb009dcSAndroid Build Coastguard Worker 2614*8fb009dcSAndroid Build Coastguard Worker // POLICY_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is PolicyConstraints 2615*8fb009dcSAndroid Build Coastguard Worker // (RFC 5280) and C type is |POLICY_CONSTRAINTS*|. 2616*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) 2617*8fb009dcSAndroid Build Coastguard Worker 2618*8fb009dcSAndroid Build Coastguard Worker // POLICY_CONSTRAINTS_new returns a newly-allocated, empty |POLICY_CONSTRAINTS| 2619*8fb009dcSAndroid Build Coastguard Worker // object, or NULL on error. 2620*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT POLICY_CONSTRAINTS *POLICY_CONSTRAINTS_new(void); 2621*8fb009dcSAndroid Build Coastguard Worker 2622*8fb009dcSAndroid Build Coastguard Worker // POLICY_CONSTRAINTS_free releases memory associated with |pcons|. 2623*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *pcons); 2624*8fb009dcSAndroid Build Coastguard Worker 2625*8fb009dcSAndroid Build Coastguard Worker 2626*8fb009dcSAndroid Build Coastguard Worker // Algorithm identifiers. 2627*8fb009dcSAndroid Build Coastguard Worker // 2628*8fb009dcSAndroid Build Coastguard Worker // An |X509_ALGOR| represents an AlgorithmIdentifier structure, used in X.509 2629*8fb009dcSAndroid Build Coastguard Worker // to represent signature algorithms and public key algorithms. 2630*8fb009dcSAndroid Build Coastguard Worker 2631*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(X509_ALGOR) 2632*8fb009dcSAndroid Build Coastguard Worker 2633*8fb009dcSAndroid Build Coastguard Worker // X509_ALGOR is an |ASN1_ITEM| whose ASN.1 type is AlgorithmIdentifier and C 2634*8fb009dcSAndroid Build Coastguard Worker // type is |X509_ALGOR*|. 2635*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(X509_ALGOR) 2636*8fb009dcSAndroid Build Coastguard Worker 2637*8fb009dcSAndroid Build Coastguard Worker // X509_ALGOR_new returns a newly-allocated, empty |X509_ALGOR| object, or NULL 2638*8fb009dcSAndroid Build Coastguard Worker // on error. 2639*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_new(void); 2640*8fb009dcSAndroid Build Coastguard Worker 2641*8fb009dcSAndroid Build Coastguard Worker // X509_ALGOR_dup returns a newly-allocated copy of |alg|, or NULL on error. 2642*8fb009dcSAndroid Build Coastguard Worker // This function works by serializing the structure, so if |alg| is incomplete, 2643*8fb009dcSAndroid Build Coastguard Worker // it may fail. 2644*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_dup(const X509_ALGOR *alg); 2645*8fb009dcSAndroid Build Coastguard Worker 2646*8fb009dcSAndroid Build Coastguard Worker // X509_ALGOR_free releases memory associated with |alg|. 2647*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_ALGOR_free(X509_ALGOR *alg); 2648*8fb009dcSAndroid Build Coastguard Worker 2649*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_ALGOR parses up to |len| bytes from |*inp| as a DER-encoded 2650*8fb009dcSAndroid Build Coastguard Worker // AlgorithmIdentifier, as described in |d2i_SAMPLE|. 2651*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **out, const uint8_t **inp, 2652*8fb009dcSAndroid Build Coastguard Worker long len); 2653*8fb009dcSAndroid Build Coastguard Worker 2654*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_ALGOR marshals |alg| as a DER-encoded AlgorithmIdentifier, as 2655*8fb009dcSAndroid Build Coastguard Worker // described in |i2d_SAMPLE|. 2656*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_ALGOR(const X509_ALGOR *alg, uint8_t **outp); 2657*8fb009dcSAndroid Build Coastguard Worker 2658*8fb009dcSAndroid Build Coastguard Worker // X509_ALGOR_set0 sets |alg| to an AlgorithmIdentifier with algorithm |obj| and 2659*8fb009dcSAndroid Build Coastguard Worker // parameter determined by |param_type| and |param_value|. It returns one on 2660*8fb009dcSAndroid Build Coastguard Worker // success and zero on error. This function takes ownership of |obj| and 2661*8fb009dcSAndroid Build Coastguard Worker // |param_value| on success. 2662*8fb009dcSAndroid Build Coastguard Worker // 2663*8fb009dcSAndroid Build Coastguard Worker // If |param_type| is |V_ASN1_UNDEF|, the parameter is omitted. If |param_type| 2664*8fb009dcSAndroid Build Coastguard Worker // is zero, the parameter is left unchanged. Otherwise, |param_type| and 2665*8fb009dcSAndroid Build Coastguard Worker // |param_value| are interpreted as in |ASN1_TYPE_set|. 2666*8fb009dcSAndroid Build Coastguard Worker // 2667*8fb009dcSAndroid Build Coastguard Worker // Note omitting the parameter (|V_ASN1_UNDEF|) and encoding an explicit NULL 2668*8fb009dcSAndroid Build Coastguard Worker // value (|V_ASN1_NULL|) are different. Some algorithms require one and some the 2669*8fb009dcSAndroid Build Coastguard Worker // other. Consult the relevant specification before calling this function. The 2670*8fb009dcSAndroid Build Coastguard Worker // correct parameter for an RSASSA-PKCS1-v1_5 signature is |V_ASN1_NULL|. The 2671*8fb009dcSAndroid Build Coastguard Worker // correct one for an ECDSA or Ed25519 signature is |V_ASN1_UNDEF|. 2672*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *obj, 2673*8fb009dcSAndroid Build Coastguard Worker int param_type, void *param_value); 2674*8fb009dcSAndroid Build Coastguard Worker 2675*8fb009dcSAndroid Build Coastguard Worker // X509_ALGOR_get0 sets |*out_obj| to the |alg|'s algorithm. If |alg|'s 2676*8fb009dcSAndroid Build Coastguard Worker // parameter is omitted, it sets |*out_param_type| and |*out_param_value| to 2677*8fb009dcSAndroid Build Coastguard Worker // |V_ASN1_UNDEF| and NULL. Otherwise, it sets |*out_param_type| and 2678*8fb009dcSAndroid Build Coastguard Worker // |*out_param_value| to the parameter, using the same representation as 2679*8fb009dcSAndroid Build Coastguard Worker // |ASN1_TYPE_set0|. See |ASN1_TYPE_set0| and |ASN1_TYPE| for details. 2680*8fb009dcSAndroid Build Coastguard Worker // 2681*8fb009dcSAndroid Build Coastguard Worker // Callers that require the parameter in serialized form should, after checking 2682*8fb009dcSAndroid Build Coastguard Worker // for |V_ASN1_UNDEF|, use |ASN1_TYPE_set1| and |d2i_ASN1_TYPE|, rather than 2683*8fb009dcSAndroid Build Coastguard Worker // inspecting |*out_param_value|. 2684*8fb009dcSAndroid Build Coastguard Worker // 2685*8fb009dcSAndroid Build Coastguard Worker // Each of |out_obj|, |out_param_type|, and |out_param_value| may be NULL to 2686*8fb009dcSAndroid Build Coastguard Worker // ignore the output. If |out_param_type| is NULL, |out_param_value| is ignored. 2687*8fb009dcSAndroid Build Coastguard Worker // 2688*8fb009dcSAndroid Build Coastguard Worker // WARNING: If |*out_param_type| is set to |V_ASN1_UNDEF|, OpenSSL and older 2689*8fb009dcSAndroid Build Coastguard Worker // revisions of BoringSSL leave |*out_param_value| unset rather than setting it 2690*8fb009dcSAndroid Build Coastguard Worker // to NULL. Callers that support both OpenSSL and BoringSSL should not assume 2691*8fb009dcSAndroid Build Coastguard Worker // |*out_param_value| is uniformly initialized. 2692*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj, 2693*8fb009dcSAndroid Build Coastguard Worker int *out_param_type, 2694*8fb009dcSAndroid Build Coastguard Worker const void **out_param_value, 2695*8fb009dcSAndroid Build Coastguard Worker const X509_ALGOR *alg); 2696*8fb009dcSAndroid Build Coastguard Worker 2697*8fb009dcSAndroid Build Coastguard Worker // X509_ALGOR_set_md sets |alg| to the hash function |md|. Note this 2698*8fb009dcSAndroid Build Coastguard Worker // AlgorithmIdentifier represents the hash function itself, not a signature 2699*8fb009dcSAndroid Build Coastguard Worker // algorithm that uses |md|. It returns one on success and zero on error. 2700*8fb009dcSAndroid Build Coastguard Worker // 2701*8fb009dcSAndroid Build Coastguard Worker // Due to historical specification mistakes (see Section 2.1 of RFC 4055), the 2702*8fb009dcSAndroid Build Coastguard Worker // parameters field is sometimes omitted and sometimes a NULL value. When used 2703*8fb009dcSAndroid Build Coastguard Worker // in RSASSA-PSS and RSAES-OAEP, it should be a NULL value. In other contexts, 2704*8fb009dcSAndroid Build Coastguard Worker // the parameters should be omitted. This function assumes the caller is 2705*8fb009dcSAndroid Build Coastguard Worker // constructing a RSASSA-PSS or RSAES-OAEP AlgorithmIdentifier and includes a 2706*8fb009dcSAndroid Build Coastguard Worker // NULL parameter. This differs from OpenSSL's behavior. 2707*8fb009dcSAndroid Build Coastguard Worker // 2708*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Rename this function, or perhaps just add a bespoke API for 2709*8fb009dcSAndroid Build Coastguard Worker // constructing PSS and move on. 2710*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); 2711*8fb009dcSAndroid Build Coastguard Worker 2712*8fb009dcSAndroid Build Coastguard Worker // X509_ALGOR_cmp returns zero if |a| and |b| are equal, and some non-zero value 2713*8fb009dcSAndroid Build Coastguard Worker // otherwise. Note this function can only be used for equality checks, not an 2714*8fb009dcSAndroid Build Coastguard Worker // ordering. 2715*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); 2716*8fb009dcSAndroid Build Coastguard Worker 2717*8fb009dcSAndroid Build Coastguard Worker 2718*8fb009dcSAndroid Build Coastguard Worker // Attributes. 2719*8fb009dcSAndroid Build Coastguard Worker // 2720*8fb009dcSAndroid Build Coastguard Worker // Unlike certificates and CRLs, CSRs use a separate Attribute structure (RFC 2721*8fb009dcSAndroid Build Coastguard Worker // 2985, RFC 2986) for extensibility. This is represented by the library as 2722*8fb009dcSAndroid Build Coastguard Worker // |X509_ATTRIBUTE|. 2723*8fb009dcSAndroid Build Coastguard Worker 2724*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(X509_ATTRIBUTE) 2725*8fb009dcSAndroid Build Coastguard Worker 2726*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_new returns a newly-allocated, empty |X509_ATTRIBUTE| object, 2727*8fb009dcSAndroid Build Coastguard Worker // or NULL on error. |X509_ATTRIBUTE_set1_*| may be used to finish initializing 2728*8fb009dcSAndroid Build Coastguard Worker // it. 2729*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_new(void); 2730*8fb009dcSAndroid Build Coastguard Worker 2731*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_dup returns a newly-allocated copy of |attr|, or NULL on 2732*8fb009dcSAndroid Build Coastguard Worker // error. This function works by serializing the structure, so if |attr| is 2733*8fb009dcSAndroid Build Coastguard Worker // incomplete, it may fail. 2734*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(const X509_ATTRIBUTE *attr); 2735*8fb009dcSAndroid Build Coastguard Worker 2736*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_free releases memory associated with |attr|. 2737*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_ATTRIBUTE_free(X509_ATTRIBUTE *attr); 2738*8fb009dcSAndroid Build Coastguard Worker 2739*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_ATTRIBUTE parses up to |len| bytes from |*inp| as a DER-encoded 2740*8fb009dcSAndroid Build Coastguard Worker // Attribute (RFC 2986), as described in |d2i_SAMPLE|. 2741*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ATTRIBUTE *d2i_X509_ATTRIBUTE(X509_ATTRIBUTE **out, 2742*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, 2743*8fb009dcSAndroid Build Coastguard Worker long len); 2744*8fb009dcSAndroid Build Coastguard Worker 2745*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_ATTRIBUTE marshals |alg| as a DER-encoded Attribute (RFC 2986), as 2746*8fb009dcSAndroid Build Coastguard Worker // described in |i2d_SAMPLE|. 2747*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_ATTRIBUTE(const X509_ATTRIBUTE *alg, 2748*8fb009dcSAndroid Build Coastguard Worker uint8_t **outp); 2749*8fb009dcSAndroid Build Coastguard Worker 2750*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on 2751*8fb009dcSAndroid Build Coastguard Worker // error. The attribute has type |nid| and contains a single value determined by 2752*8fb009dcSAndroid Build Coastguard Worker // |attrtype| and |value|, which are interpreted as in |ASN1_TYPE_set|. Note 2753*8fb009dcSAndroid Build Coastguard Worker // this function takes ownership of |value|. 2754*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype, 2755*8fb009dcSAndroid Build Coastguard Worker void *value); 2756*8fb009dcSAndroid Build Coastguard Worker 2757*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_create_by_NID returns a newly-allocated |X509_ATTRIBUTE| of 2758*8fb009dcSAndroid Build Coastguard Worker // type |nid|, or NULL on error. The value is determined as in 2759*8fb009dcSAndroid Build Coastguard Worker // |X509_ATTRIBUTE_set1_data|. 2760*8fb009dcSAndroid Build Coastguard Worker // 2761*8fb009dcSAndroid Build Coastguard Worker // If |attr| is non-NULL, the resulting |X509_ATTRIBUTE| is also written to 2762*8fb009dcSAndroid Build Coastguard Worker // |*attr|. If |*attr| was non-NULL when the function was called, |*attr| is 2763*8fb009dcSAndroid Build Coastguard Worker // reused instead of creating a new object. 2764*8fb009dcSAndroid Build Coastguard Worker // 2765*8fb009dcSAndroid Build Coastguard Worker // WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and 2766*8fb009dcSAndroid Build Coastguard Worker // error-prone. See |X509_ATTRIBUTE_set1_data| for details. 2767*8fb009dcSAndroid Build Coastguard Worker // 2768*8fb009dcSAndroid Build Coastguard Worker // WARNING: The object reuse form is deprecated and may be removed in the 2769*8fb009dcSAndroid Build Coastguard Worker // future. It also currently incorrectly appends to the reused object's value 2770*8fb009dcSAndroid Build Coastguard Worker // set rather than overwriting it. 2771*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID( 2772*8fb009dcSAndroid Build Coastguard Worker X509_ATTRIBUTE **attr, int nid, int attrtype, const void *data, int len); 2773*8fb009dcSAndroid Build Coastguard Worker 2774*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_create_by_OBJ behaves like |X509_ATTRIBUTE_create_by_NID| 2775*8fb009dcSAndroid Build Coastguard Worker // except the attribute's type is determined by |obj|. 2776*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ( 2777*8fb009dcSAndroid Build Coastguard Worker X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, int attrtype, 2778*8fb009dcSAndroid Build Coastguard Worker const void *data, int len); 2779*8fb009dcSAndroid Build Coastguard Worker 2780*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_create_by_txt behaves like |X509_ATTRIBUTE_create_by_NID| 2781*8fb009dcSAndroid Build Coastguard Worker // except the attribute's type is determined by calling |OBJ_txt2obj| with 2782*8fb009dcSAndroid Build Coastguard Worker // |attrname|. 2783*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt( 2784*8fb009dcSAndroid Build Coastguard Worker X509_ATTRIBUTE **attr, const char *attrname, int type, 2785*8fb009dcSAndroid Build Coastguard Worker const unsigned char *bytes, int len); 2786*8fb009dcSAndroid Build Coastguard Worker 2787*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_set1_object sets |attr|'s type to |obj|. It returns one on 2788*8fb009dcSAndroid Build Coastguard Worker // success and zero on error. 2789*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, 2790*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj); 2791*8fb009dcSAndroid Build Coastguard Worker 2792*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns 2793*8fb009dcSAndroid Build Coastguard Worker // one on success or zero on error. The value is determined as follows: 2794*8fb009dcSAndroid Build Coastguard Worker // 2795*8fb009dcSAndroid Build Coastguard Worker // If |attrtype| is zero, this function returns one and does nothing. This form 2796*8fb009dcSAndroid Build Coastguard Worker // may be used when calling |X509_ATTRIBUTE_create_by_*| to create an attribute 2797*8fb009dcSAndroid Build Coastguard Worker // with an empty value set. Such attributes are invalid, but OpenSSL supports 2798*8fb009dcSAndroid Build Coastguard Worker // creating them. 2799*8fb009dcSAndroid Build Coastguard Worker // 2800*8fb009dcSAndroid Build Coastguard Worker // Otherwise, if |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 2801*8fb009dcSAndroid Build Coastguard Worker // string. The string is determined by decoding |len| bytes from |data| in the 2802*8fb009dcSAndroid Build Coastguard Worker // encoding specified by |attrtype|, and then re-encoding it in a form 2803*8fb009dcSAndroid Build Coastguard Worker // appropriate for |attr|'s type. If |len| is -1, |strlen(data)| is used 2804*8fb009dcSAndroid Build Coastguard Worker // instead. See |ASN1_STRING_set_by_NID| for details. 2805*8fb009dcSAndroid Build Coastguard Worker // 2806*8fb009dcSAndroid Build Coastguard Worker // Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an 2807*8fb009dcSAndroid Build Coastguard Worker // |ASN1_STRING| type value and the |len| bytes from |data| are copied as the 2808*8fb009dcSAndroid Build Coastguard Worker // type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details. 2809*8fb009dcSAndroid Build Coastguard Worker // 2810*8fb009dcSAndroid Build Coastguard Worker // Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and 2811*8fb009dcSAndroid Build Coastguard Worker // |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value, 2812*8fb009dcSAndroid Build Coastguard Worker // and |data| is cast to the corresponding pointer type. 2813*8fb009dcSAndroid Build Coastguard Worker // 2814*8fb009dcSAndroid Build Coastguard Worker // WARNING: Despite the name, this function appends to |attr|'s value set, 2815*8fb009dcSAndroid Build Coastguard Worker // rather than overwriting it. To overwrite the value set, create a new 2816*8fb009dcSAndroid Build Coastguard Worker // |X509_ATTRIBUTE| with |X509_ATTRIBUTE_new|. 2817*8fb009dcSAndroid Build Coastguard Worker // 2818*8fb009dcSAndroid Build Coastguard Worker // WARNING: If using the |MBSTRING_*| form, pass a length rather than relying on 2819*8fb009dcSAndroid Build Coastguard Worker // |strlen|. In particular, |strlen| will not behave correctly if the input is 2820*8fb009dcSAndroid Build Coastguard Worker // |MBSTRING_BMP| or |MBSTRING_UNIV|. 2821*8fb009dcSAndroid Build Coastguard Worker // 2822*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function currently misinterprets |V_ASN1_OTHER| as an 2823*8fb009dcSAndroid Build Coastguard Worker // |MBSTRING_*| constant. This matches OpenSSL but means it is impossible to 2824*8fb009dcSAndroid Build Coastguard Worker // construct a value with a non-universal tag. 2825*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, 2826*8fb009dcSAndroid Build Coastguard Worker const void *data, int len); 2827*8fb009dcSAndroid Build Coastguard Worker 2828*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_get0_data returns the |idx|th value of |attr| in a 2829*8fb009dcSAndroid Build Coastguard Worker // type-specific representation to |attrtype|, or NULL if out of bounds or the 2830*8fb009dcSAndroid Build Coastguard Worker // type does not match. |attrtype| is one of the type values in |ASN1_TYPE|. On 2831*8fb009dcSAndroid Build Coastguard Worker // match, the return value uses the same representation as |ASN1_TYPE_set0|. See 2832*8fb009dcSAndroid Build Coastguard Worker // |ASN1_TYPE| for details. 2833*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, 2834*8fb009dcSAndroid Build Coastguard Worker int attrtype, void *unused); 2835*8fb009dcSAndroid Build Coastguard Worker 2836*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_count returns the number of values in |attr|. 2837*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr); 2838*8fb009dcSAndroid Build Coastguard Worker 2839*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_get0_object returns the type of |attr|. 2840*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr); 2841*8fb009dcSAndroid Build Coastguard Worker 2842*8fb009dcSAndroid Build Coastguard Worker // X509_ATTRIBUTE_get0_type returns the |idx|th value in |attr|, or NULL if out 2843*8fb009dcSAndroid Build Coastguard Worker // of bounds. Note this function returns one of |attr|'s values, not the type. 2844*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, 2845*8fb009dcSAndroid Build Coastguard Worker int idx); 2846*8fb009dcSAndroid Build Coastguard Worker 2847*8fb009dcSAndroid Build Coastguard Worker 2848*8fb009dcSAndroid Build Coastguard Worker // Certificate stores. 2849*8fb009dcSAndroid Build Coastguard Worker // 2850*8fb009dcSAndroid Build Coastguard Worker // An |X509_STORE| contains trusted certificates, CRLs, and verification 2851*8fb009dcSAndroid Build Coastguard Worker // parameters that are shared between multiple certificate verifications. 2852*8fb009dcSAndroid Build Coastguard Worker // 2853*8fb009dcSAndroid Build Coastguard Worker // Certificates in an |X509_STORE| are referred to as "trusted certificates", 2854*8fb009dcSAndroid Build Coastguard Worker // but an individual certificate verification may not necessarily treat every 2855*8fb009dcSAndroid Build Coastguard Worker // trusted certificate as a trust anchor. See |X509_VERIFY_PARAM_set_trust| for 2856*8fb009dcSAndroid Build Coastguard Worker // details. 2857*8fb009dcSAndroid Build Coastguard Worker // 2858*8fb009dcSAndroid Build Coastguard Worker // WARNING: Although a trusted certificate which fails the 2859*8fb009dcSAndroid Build Coastguard Worker // |X509_VERIFY_PARAM_set_trust| check is functionally an untrusted 2860*8fb009dcSAndroid Build Coastguard Worker // intermediate certificate, callers should not rely on this to configure 2861*8fb009dcSAndroid Build Coastguard Worker // untrusted intermediates in an |X509_STORE|. The trust check is complex, so 2862*8fb009dcSAndroid Build Coastguard Worker // this risks inadvertently treating it as a trust anchor. Instead, configure 2863*8fb009dcSAndroid Build Coastguard Worker // untrusted intermediates with the |chain| parameter of |X509_STORE_CTX_init|. 2864*8fb009dcSAndroid Build Coastguard Worker // 2865*8fb009dcSAndroid Build Coastguard Worker // Certificates in |X509_STORE| may be specified in several ways: 2866*8fb009dcSAndroid Build Coastguard Worker // - Added by |X509_STORE_add_cert|. 2867*8fb009dcSAndroid Build Coastguard Worker // - Returned by an |X509_LOOKUP| added by |X509_STORE_add_lookup|. 2868*8fb009dcSAndroid Build Coastguard Worker // 2869*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE|s are reference-counted and may be shared by certificate 2870*8fb009dcSAndroid Build Coastguard Worker // verifications running concurrently on multiple threads. However, an 2871*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE|'s verification parameters may not be modified concurrently with 2872*8fb009dcSAndroid Build Coastguard Worker // certificate verification or other operations. Unless otherwise documented, 2873*8fb009dcSAndroid Build Coastguard Worker // functions which take const pointer may be used concurrently, while 2874*8fb009dcSAndroid Build Coastguard Worker // functions which take a non-const pointer may not. Callers that wish to modify 2875*8fb009dcSAndroid Build Coastguard Worker // verification parameters in a shared |X509_STORE| should instead modify 2876*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX|s individually. 2877*8fb009dcSAndroid Build Coastguard Worker // 2878*8fb009dcSAndroid Build Coastguard Worker // Objects in an |X509_STORE| are represented as an |X509_OBJECT|. Some 2879*8fb009dcSAndroid Build Coastguard Worker // functions in this library return values with this type. 2880*8fb009dcSAndroid Build Coastguard Worker 2881*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_new returns a newly-allocated |X509_STORE|, or NULL on error. 2882*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_STORE *X509_STORE_new(void); 2883*8fb009dcSAndroid Build Coastguard Worker 2884*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_up_ref adds one to the reference count of |store| and returns one. 2885*8fb009dcSAndroid Build Coastguard Worker // Although |store| is not const, this function's use of |store| is thread-safe. 2886*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_up_ref(X509_STORE *store); 2887*8fb009dcSAndroid Build Coastguard Worker 2888*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_free releases memory associated with |store|. 2889*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_free(X509_STORE *store); 2890*8fb009dcSAndroid Build Coastguard Worker 2891*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_add_cert adds |x509| to |store| as a trusted certificate. It 2892*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. This function internally increments 2893*8fb009dcSAndroid Build Coastguard Worker // |x509|'s reference count, so the caller retains ownership of |x509|. 2894*8fb009dcSAndroid Build Coastguard Worker // 2895*8fb009dcSAndroid Build Coastguard Worker // Certificates configured by this function are still subject to the checks 2896*8fb009dcSAndroid Build Coastguard Worker // described in |X509_VERIFY_PARAM_set_trust|. 2897*8fb009dcSAndroid Build Coastguard Worker // 2898*8fb009dcSAndroid Build Coastguard Worker // Although |store| is not const, this function's use of |store| is thread-safe. 2899*8fb009dcSAndroid Build Coastguard Worker // However, if this function is called concurrently with |X509_verify_cert|, it 2900*8fb009dcSAndroid Build Coastguard Worker // is a race condition whether |x509| is available for issuer lookups. 2901*8fb009dcSAndroid Build Coastguard Worker // Moreover, the result may differ for each issuer lookup performed by a single 2902*8fb009dcSAndroid Build Coastguard Worker // |X509_verify_cert| call. 2903*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_add_cert(X509_STORE *store, X509 *x509); 2904*8fb009dcSAndroid Build Coastguard Worker 2905*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_add_crl adds |crl| to |store|. It returns one on success and zero 2906*8fb009dcSAndroid Build Coastguard Worker // on error. This function internally increments |crl|'s reference count, so the 2907*8fb009dcSAndroid Build Coastguard Worker // caller retains ownership of |crl|. CRLs added in this way are candidates for 2908*8fb009dcSAndroid Build Coastguard Worker // CRL lookup when |X509_V_FLAG_CRL_CHECK| is set. 2909*8fb009dcSAndroid Build Coastguard Worker // 2910*8fb009dcSAndroid Build Coastguard Worker // Although |store| is not const, this function's use of |store| is thread-safe. 2911*8fb009dcSAndroid Build Coastguard Worker // However, if this function is called concurrently with |X509_verify_cert|, it 2912*8fb009dcSAndroid Build Coastguard Worker // is a race condition whether |crl| is available for CRL checks. Moreover, the 2913*8fb009dcSAndroid Build Coastguard Worker // result may differ for each CRL check performed by a single 2914*8fb009dcSAndroid Build Coastguard Worker // |X509_verify_cert| call. 2915*8fb009dcSAndroid Build Coastguard Worker // 2916*8fb009dcSAndroid Build Coastguard Worker // Note there are no supported APIs to remove CRLs from |store| once inserted. 2917*8fb009dcSAndroid Build Coastguard Worker // To vary the set of CRLs over time, callers should either create a new 2918*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE| or configure CRLs on a per-verification basis with 2919*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_set0_crls|. 2920*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *store, X509_CRL *crl); 2921*8fb009dcSAndroid Build Coastguard Worker 2922*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_get0_param returns |store|'s verification parameters. This object 2923*8fb009dcSAndroid Build Coastguard Worker // is mutable and may be modified by the caller. For an individual certificate 2924*8fb009dcSAndroid Build Coastguard Worker // verification operation, |X509_STORE_CTX_init| initializes the 2925*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX|'s parameters with these parameters. 2926*8fb009dcSAndroid Build Coastguard Worker // 2927*8fb009dcSAndroid Build Coastguard Worker // WARNING: |X509_STORE_CTX_init| applies some default parameters (as in 2928*8fb009dcSAndroid Build Coastguard Worker // |X509_VERIFY_PARAM_inherit|) after copying |store|'s parameters. This means 2929*8fb009dcSAndroid Build Coastguard Worker // it is impossible to leave some parameters unset at |store|. They must be 2930*8fb009dcSAndroid Build Coastguard Worker // explicitly unset after creating the |X509_STORE_CTX|. 2931*8fb009dcSAndroid Build Coastguard Worker // 2932*8fb009dcSAndroid Build Coastguard Worker // As of writing these late defaults are a depth limit (see 2933*8fb009dcSAndroid Build Coastguard Worker // |X509_VERIFY_PARAM_set_depth|) and the |X509_V_FLAG_TRUSTED_FIRST| flag. This 2934*8fb009dcSAndroid Build Coastguard Worker // warning does not apply if the parameters were set in |store|. 2935*8fb009dcSAndroid Build Coastguard Worker // 2936*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/441): This behavior is very surprising. Can we 2937*8fb009dcSAndroid Build Coastguard Worker // remove this notion of late defaults? The unsettable value at |X509_STORE| is 2938*8fb009dcSAndroid Build Coastguard Worker // -1, which rejects everything but explicitly-trusted self-signed certificates. 2939*8fb009dcSAndroid Build Coastguard Worker // |X509_V_FLAG_TRUSTED_FIRST| is mostly a workaround for poor path-building. 2940*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store); 2941*8fb009dcSAndroid Build Coastguard Worker 2942*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_set1_param copies verification parameters from |param| as in 2943*8fb009dcSAndroid Build Coastguard Worker // |X509_VERIFY_PARAM_set1|. It returns one on success and zero on error. 2944*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *store, 2945*8fb009dcSAndroid Build Coastguard Worker const X509_VERIFY_PARAM *param); 2946*8fb009dcSAndroid Build Coastguard Worker 2947*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_set_flags enables all values in |flags| in |store|'s verification 2948*8fb009dcSAndroid Build Coastguard Worker // flags. |flags| should be a combination of |X509_V_FLAG_*| constants. 2949*8fb009dcSAndroid Build Coastguard Worker // 2950*8fb009dcSAndroid Build Coastguard Worker // WARNING: These flags will be combined with default flags when copied to an 2951*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX|. This means it is impossible to unset those defaults from 2952*8fb009dcSAndroid Build Coastguard Worker // the |X509_STORE|. See discussion in |X509_STORE_get0_param|. 2953*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *store, unsigned long flags); 2954*8fb009dcSAndroid Build Coastguard Worker 2955*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_set_depth configures |store| to, by default, limit certificate 2956*8fb009dcSAndroid Build Coastguard Worker // chains to |depth| intermediate certificates. This count excludes both the 2957*8fb009dcSAndroid Build Coastguard Worker // target certificate and the trust anchor (root certificate). 2958*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); 2959*8fb009dcSAndroid Build Coastguard Worker 2960*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_set_purpose configures the purpose check for |store|. See 2961*8fb009dcSAndroid Build Coastguard Worker // |X509_VERIFY_PARAM_set_purpose| for details. 2962*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *store, int purpose); 2963*8fb009dcSAndroid Build Coastguard Worker 2964*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_set_trust configures the trust check for |store|. See 2965*8fb009dcSAndroid Build Coastguard Worker // |X509_VERIFY_PARAM_set_trust| for details. 2966*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *store, int trust); 2967*8fb009dcSAndroid Build Coastguard Worker 2968*8fb009dcSAndroid Build Coastguard Worker // The following constants indicate the type of an |X509_OBJECT|. 2969*8fb009dcSAndroid Build Coastguard Worker #define X509_LU_NONE 0 2970*8fb009dcSAndroid Build Coastguard Worker #define X509_LU_X509 1 2971*8fb009dcSAndroid Build Coastguard Worker #define X509_LU_CRL 2 2972*8fb009dcSAndroid Build Coastguard Worker #define X509_LU_PKEY 3 2973*8fb009dcSAndroid Build Coastguard Worker 2974*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(X509_OBJECT) 2975*8fb009dcSAndroid Build Coastguard Worker 2976*8fb009dcSAndroid Build Coastguard Worker // X509_OBJECT_new returns a newly-allocated, empty |X509_OBJECT| or NULL on 2977*8fb009dcSAndroid Build Coastguard Worker // error. 2978*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_new(void); 2979*8fb009dcSAndroid Build Coastguard Worker 2980*8fb009dcSAndroid Build Coastguard Worker // X509_OBJECT_free releases memory associated with |obj|. 2981*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_OBJECT_free(X509_OBJECT *obj); 2982*8fb009dcSAndroid Build Coastguard Worker 2983*8fb009dcSAndroid Build Coastguard Worker // X509_OBJECT_get_type returns the type of |obj|, which will be one of the 2984*8fb009dcSAndroid Build Coastguard Worker // |X509_LU_*| constants. 2985*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_OBJECT_get_type(const X509_OBJECT *obj); 2986*8fb009dcSAndroid Build Coastguard Worker 2987*8fb009dcSAndroid Build Coastguard Worker // X509_OBJECT_get0_X509 returns |obj| as a certificate, or NULL if |obj| is not 2988*8fb009dcSAndroid Build Coastguard Worker // a certificate. 2989*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *X509_OBJECT_get0_X509(const X509_OBJECT *obj); 2990*8fb009dcSAndroid Build Coastguard Worker 2991*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_get1_objects returns a newly-allocated stack containing the 2992*8fb009dcSAndroid Build Coastguard Worker // contents of |store|, or NULL on error. The caller must release the result 2993*8fb009dcSAndroid Build Coastguard Worker // with |sk_X509_OBJECT_pop_free| and |X509_OBJECT_free| when done. 2994*8fb009dcSAndroid Build Coastguard Worker // 2995*8fb009dcSAndroid Build Coastguard Worker // The result will include all certificates and CRLs added via 2996*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_add_cert| and |X509_STORE_add_crl|, as well as any cached objects 2997*8fb009dcSAndroid Build Coastguard Worker // added by |X509_LOOKUP_add_dir|. The last of these may change over time, as 2998*8fb009dcSAndroid Build Coastguard Worker // different objects are loaded from the filesystem. Callers should not depend 2999*8fb009dcSAndroid Build Coastguard Worker // on this caching behavior. The objects are returned in no particular order. 3000*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get1_objects( 3001*8fb009dcSAndroid Build Coastguard Worker X509_STORE *store); 3002*8fb009dcSAndroid Build Coastguard Worker 3003*8fb009dcSAndroid Build Coastguard Worker 3004*8fb009dcSAndroid Build Coastguard Worker // Certificate verification. 3005*8fb009dcSAndroid Build Coastguard Worker // 3006*8fb009dcSAndroid Build Coastguard Worker // An |X509_STORE_CTX| object represents a single certificate verification 3007*8fb009dcSAndroid Build Coastguard Worker // operation. To verify a certificate chain, callers construct an 3008*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX|, initialize it with |X509_STORE_CTX_init|, configure extra 3009*8fb009dcSAndroid Build Coastguard Worker // parameters with |X509_STORE_CTX_get0_param|, and call |X509_verify_cert|. 3010*8fb009dcSAndroid Build Coastguard Worker 3011*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_new returns a newly-allocated, empty |X509_STORE_CTX|, or NULL 3012*8fb009dcSAndroid Build Coastguard Worker // on error. 3013*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void); 3014*8fb009dcSAndroid Build Coastguard Worker 3015*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_free releases memory associated with |ctx|. 3016*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx); 3017*8fb009dcSAndroid Build Coastguard Worker 3018*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_init initializes |ctx| to verify |x509|, using trusted 3019*8fb009dcSAndroid Build Coastguard Worker // certificates and parameters in |store|. It returns one on success and zero on 3020*8fb009dcSAndroid Build Coastguard Worker // error. |chain| is a list of untrusted intermediate certificates to use in 3021*8fb009dcSAndroid Build Coastguard Worker // verification. 3022*8fb009dcSAndroid Build Coastguard Worker // 3023*8fb009dcSAndroid Build Coastguard Worker // |ctx| stores pointers to |store|, |x509|, and |chain|. Each of these objects 3024*8fb009dcSAndroid Build Coastguard Worker // must outlive |ctx| and may not be mutated for the duration of the certificate 3025*8fb009dcSAndroid Build Coastguard Worker // verification. 3026*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, 3027*8fb009dcSAndroid Build Coastguard Worker X509 *x509, STACK_OF(X509) *chain); 3028*8fb009dcSAndroid Build Coastguard Worker 3029*8fb009dcSAndroid Build Coastguard Worker // X509_verify_cert performs certifice verification with |ctx|, which must have 3030*8fb009dcSAndroid Build Coastguard Worker // been initialized with |X509_STORE_CTX_init|. It returns one on success and 3031*8fb009dcSAndroid Build Coastguard Worker // zero on error. On success, |X509_STORE_CTX_get0_chain| or 3032*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_get1_chain| may be used to return the verified certificate 3033*8fb009dcSAndroid Build Coastguard Worker // chain. On error, |X509_STORE_CTX_get_error| may be used to return additional 3034*8fb009dcSAndroid Build Coastguard Worker // error information. 3035*8fb009dcSAndroid Build Coastguard Worker // 3036*8fb009dcSAndroid Build Coastguard Worker // WARNING: Most failure conditions from this function do not use the error 3037*8fb009dcSAndroid Build Coastguard Worker // queue. Use |X509_STORE_CTX_get_error| to determine the cause of the error. 3038*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); 3039*8fb009dcSAndroid Build Coastguard Worker 3040*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get0_chain, after a successful |X509_verify_cert| call, 3041*8fb009dcSAndroid Build Coastguard Worker // returns the verified certificate chain. The chain begins with the leaf and 3042*8fb009dcSAndroid Build Coastguard Worker // ends with trust anchor. 3043*8fb009dcSAndroid Build Coastguard Worker // 3044*8fb009dcSAndroid Build Coastguard Worker // At other points, such as after a failed verification or during the deprecated 3045*8fb009dcSAndroid Build Coastguard Worker // verification callback, it returns the partial chain built so far. Callers 3046*8fb009dcSAndroid Build Coastguard Worker // should avoid relying on this as this exposes unstable library implementation 3047*8fb009dcSAndroid Build Coastguard Worker // details. 3048*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain( 3049*8fb009dcSAndroid Build Coastguard Worker const X509_STORE_CTX *ctx); 3050*8fb009dcSAndroid Build Coastguard Worker 3051*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get1_chain behaves like |X509_STORE_CTX_get0_chain| but 3052*8fb009dcSAndroid Build Coastguard Worker // returns a newly-allocated |STACK_OF(X509)| containing the completed chain, 3053*8fb009dcSAndroid Build Coastguard Worker // with each certificate's reference count incremented. Callers must free the 3054*8fb009dcSAndroid Build Coastguard Worker // result with |sk_X509_pop_free| and |X509_free| when done. 3055*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain( 3056*8fb009dcSAndroid Build Coastguard Worker const X509_STORE_CTX *ctx); 3057*8fb009dcSAndroid Build Coastguard Worker 3058*8fb009dcSAndroid Build Coastguard Worker // The following values are possible outputs of |X509_STORE_CTX_get_error|. 3059*8fb009dcSAndroid Build Coastguard Worker #define X509_V_OK 0 3060*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNSPECIFIED 1 3061*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 3062*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNABLE_TO_GET_CRL 3 3063*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 3064*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 3065*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 3066*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 3067*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 3068*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CERT_NOT_YET_VALID 9 3069*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CERT_HAS_EXPIRED 10 3070*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CRL_NOT_YET_VALID 11 3071*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CRL_HAS_EXPIRED 12 3072*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 3073*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 3074*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 3075*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 3076*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_OUT_OF_MEM 17 3077*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 3078*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 3079*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 3080*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 3081*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 3082*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CERT_REVOKED 23 3083*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_INVALID_CA 24 3084*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 3085*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_INVALID_PURPOSE 26 3086*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CERT_UNTRUSTED 27 3087*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CERT_REJECTED 28 3088*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 3089*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_AKID_SKID_MISMATCH 30 3090*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 3091*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 3092*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 3093*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 3094*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 3095*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 3096*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_INVALID_NON_CA 37 3097*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 3098*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 3099*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 3100*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_INVALID_EXTENSION 41 3101*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_INVALID_POLICY_EXTENSION 42 3102*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_NO_EXPLICIT_POLICY 43 3103*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 3104*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 3105*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNNESTED_RESOURCE 46 3106*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_PERMITTED_VIOLATION 47 3107*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_EXCLUDED_VIOLATION 48 3108*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_SUBTREE_MINMAX 49 3109*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_APPLICATION_VERIFICATION 50 3110*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 3111*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 3112*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 3113*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 3114*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_HOSTNAME_MISMATCH 62 3115*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_EMAIL_MISMATCH 63 3116*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_IP_ADDRESS_MISMATCH 64 3117*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_INVALID_CALL 65 3118*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_STORE_LOOKUP 66 3119*8fb009dcSAndroid Build Coastguard Worker #define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 3120*8fb009dcSAndroid Build Coastguard Worker 3121*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get_error, after |X509_verify_cert| returns, returns 3122*8fb009dcSAndroid Build Coastguard Worker // |X509_V_OK| if verification succeeded or an |X509_V_ERR_*| describing why 3123*8fb009dcSAndroid Build Coastguard Worker // verification failed. This will be consistent with |X509_verify_cert|'s return 3124*8fb009dcSAndroid Build Coastguard Worker // value, unless the caller used the deprecated verification callback (see 3125*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_set_verify_cb|) in a way that breaks |ctx|'s invariants. 3126*8fb009dcSAndroid Build Coastguard Worker // 3127*8fb009dcSAndroid Build Coastguard Worker // If called during the deprecated verification callback when |ok| is zero, it 3128*8fb009dcSAndroid Build Coastguard Worker // returns the current error under consideration. 3129*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx); 3130*8fb009dcSAndroid Build Coastguard Worker 3131*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set_error sets |ctx|'s error to |err|, which should be 3132*8fb009dcSAndroid Build Coastguard Worker // |X509_V_OK| or an |X509_V_ERR_*| constant. It is not expected to be called in 3133*8fb009dcSAndroid Build Coastguard Worker // typical |X509_STORE_CTX| usage, but may be used in callback APIs where 3134*8fb009dcSAndroid Build Coastguard Worker // applications synthesize |X509_STORE_CTX| error conditions. See also 3135*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_set_verify_cb| and |SSL_CTX_set_cert_verify_callback|. 3136*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err); 3137*8fb009dcSAndroid Build Coastguard Worker 3138*8fb009dcSAndroid Build Coastguard Worker // X509_verify_cert_error_string returns |err| as a human-readable string, where 3139*8fb009dcSAndroid Build Coastguard Worker // |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns 3140*8fb009dcSAndroid Build Coastguard Worker // a default description. 3141*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); 3142*8fb009dcSAndroid Build Coastguard Worker 3143*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get_error_depth returns the depth at which the error returned 3144*8fb009dcSAndroid Build Coastguard Worker // by |X509_STORE_CTX_get_error| occured. This is zero-indexed integer into the 3145*8fb009dcSAndroid Build Coastguard Worker // certificate chain. Zero indicates the target certificate, one its issuer, and 3146*8fb009dcSAndroid Build Coastguard Worker // so on. 3147*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx); 3148*8fb009dcSAndroid Build Coastguard Worker 3149*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get_current_cert returns the certificate which caused the 3150*8fb009dcSAndroid Build Coastguard Worker // error returned by |X509_STORE_CTX_get_error|. 3151*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); 3152*8fb009dcSAndroid Build Coastguard Worker 3153*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get0_current_crl returns the CRL which caused the error 3154*8fb009dcSAndroid Build Coastguard Worker // returned by |X509_STORE_CTX_get_error|. 3155*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl( 3156*8fb009dcSAndroid Build Coastguard Worker const X509_STORE_CTX *ctx); 3157*8fb009dcSAndroid Build Coastguard Worker 3158*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get0_store returns the |X509_STORE| that |ctx| uses. 3159*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx); 3160*8fb009dcSAndroid Build Coastguard Worker 3161*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get0_cert returns the leaf certificate that |ctx| is 3162*8fb009dcSAndroid Build Coastguard Worker // verifying. 3163*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); 3164*8fb009dcSAndroid Build Coastguard Worker 3165*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get0_untrusted returns the stack of untrusted intermediates 3166*8fb009dcSAndroid Build Coastguard Worker // used by |ctx| for certificate verification. 3167*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( 3168*8fb009dcSAndroid Build Coastguard Worker const X509_STORE_CTX *ctx); 3169*8fb009dcSAndroid Build Coastguard Worker 3170*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates 3171*8fb009dcSAndroid Build Coastguard Worker // in |sk|. |sk| must remain valid for the duration of |ctx|. Calling this 3172*8fb009dcSAndroid Build Coastguard Worker // function causes |ctx| to ignore any certificates configured in the 3173*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE|. Certificates in |sk| are still subject to the check described 3174*8fb009dcSAndroid Build Coastguard Worker // in |X509_VERIFY_PARAM_set_trust|. 3175*8fb009dcSAndroid Build Coastguard Worker // 3176*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function differs from most |set0| functions in that it does not 3177*8fb009dcSAndroid Build Coastguard Worker // take ownership of its input. The caller is required to ensure the lifetimes 3178*8fb009dcSAndroid Build Coastguard Worker // are consistent. 3179*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, 3180*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509) *sk); 3181*8fb009dcSAndroid Build Coastguard Worker 3182*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set0_crls configures |ctx| to consider the CRLs in |sk| as 3183*8fb009dcSAndroid Build Coastguard Worker // candidates for CRL lookup. |sk| must remain valid for the duration of |ctx|. 3184*8fb009dcSAndroid Build Coastguard Worker // These CRLs are considered in addition to CRLs found in |X509_STORE|. 3185*8fb009dcSAndroid Build Coastguard Worker // 3186*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function differs from most |set0| functions in that it does not 3187*8fb009dcSAndroid Build Coastguard Worker // take ownership of its input. The caller is required to ensure the lifetimes 3188*8fb009dcSAndroid Build Coastguard Worker // are consistent. 3189*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, 3190*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509_CRL) *sk); 3191*8fb009dcSAndroid Build Coastguard Worker 3192*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set_default looks up the set of parameters named |name| and 3193*8fb009dcSAndroid Build Coastguard Worker // applies those default verification parameters for |ctx|. As in 3194*8fb009dcSAndroid Build Coastguard Worker // |X509_VERIFY_PARAM_inherit|, only unset parameters are changed. This function 3195*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. 3196*8fb009dcSAndroid Build Coastguard Worker // 3197*8fb009dcSAndroid Build Coastguard Worker // The supported values of |name| are: 3198*8fb009dcSAndroid Build Coastguard Worker // - "default" is an internal value which configures some late defaults. See the 3199*8fb009dcSAndroid Build Coastguard Worker // discussion in |X509_STORE_get0_param|. 3200*8fb009dcSAndroid Build Coastguard Worker // - "pkcs7" configures default trust and purpose checks for PKCS#7 signatures. 3201*8fb009dcSAndroid Build Coastguard Worker // - "smime_sign" configures trust and purpose checks for S/MIME signatures. 3202*8fb009dcSAndroid Build Coastguard Worker // - "ssl_client" configures trust and purpose checks for TLS clients. 3203*8fb009dcSAndroid Build Coastguard Worker // - "ssl_server" configures trust and purpose checks for TLS servers. 3204*8fb009dcSAndroid Build Coastguard Worker // 3205*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/441): Make "default" a no-op. 3206*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, 3207*8fb009dcSAndroid Build Coastguard Worker const char *name); 3208*8fb009dcSAndroid Build Coastguard Worker 3209*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get0_param returns |ctx|'s verification parameters. This 3210*8fb009dcSAndroid Build Coastguard Worker // object is mutable and may be modified by the caller. 3211*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( 3212*8fb009dcSAndroid Build Coastguard Worker X509_STORE_CTX *ctx); 3213*8fb009dcSAndroid Build Coastguard Worker 3214*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set0_param returns |ctx|'s verification parameters to |param| 3215*8fb009dcSAndroid Build Coastguard Worker // and takes ownership of |param|. After this function returns, the caller 3216*8fb009dcSAndroid Build Coastguard Worker // should not free |param|. 3217*8fb009dcSAndroid Build Coastguard Worker // 3218*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function discards any values which were previously applied in 3219*8fb009dcSAndroid Build Coastguard Worker // |ctx|, including the "default" parameters applied late in 3220*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_init|. These late defaults are not applied to parameters 3221*8fb009dcSAndroid Build Coastguard Worker // created standalone by |X509_VERIFY_PARAM_new|. 3222*8fb009dcSAndroid Build Coastguard Worker // 3223*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/441): This behavior is very surprising. Should we 3224*8fb009dcSAndroid Build Coastguard Worker // re-apply the late defaults in |param|, or somehow avoid this notion of late 3225*8fb009dcSAndroid Build Coastguard Worker // defaults altogether? 3226*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, 3227*8fb009dcSAndroid Build Coastguard Worker X509_VERIFY_PARAM *param); 3228*8fb009dcSAndroid Build Coastguard Worker 3229*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set_flags enables all values in |flags| in |ctx|'s 3230*8fb009dcSAndroid Build Coastguard Worker // verification flags. |flags| should be a combination of |X509_V_FLAG_*| 3231*8fb009dcSAndroid Build Coastguard Worker // constants. 3232*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, 3233*8fb009dcSAndroid Build Coastguard Worker unsigned long flags); 3234*8fb009dcSAndroid Build Coastguard Worker 3235*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set_time configures certificate verification to use |t| 3236*8fb009dcSAndroid Build Coastguard Worker // instead of the current time. |flags| is ignored and should be zero. 3237*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, 3238*8fb009dcSAndroid Build Coastguard Worker unsigned long flags, time_t t); 3239*8fb009dcSAndroid Build Coastguard Worker 3240*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set_time_posix configures certificate verification to use |t| 3241*8fb009dcSAndroid Build Coastguard Worker // instead of the current time. |t| is interpreted as a POSIX timestamp in 3242*8fb009dcSAndroid Build Coastguard Worker // seconds. |flags| is ignored and should be zero. 3243*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, 3244*8fb009dcSAndroid Build Coastguard Worker unsigned long flags, 3245*8fb009dcSAndroid Build Coastguard Worker int64_t t); 3246*8fb009dcSAndroid Build Coastguard Worker 3247*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set_depth configures |ctx| to, by default, limit certificate 3248*8fb009dcSAndroid Build Coastguard Worker // chains to |depth| intermediate certificates. This count excludes both the 3249*8fb009dcSAndroid Build Coastguard Worker // target certificate and the trust anchor (root certificate). 3250*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); 3251*8fb009dcSAndroid Build Coastguard Worker 3252*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set_purpose simultaneously configures |ctx|'s purpose and 3253*8fb009dcSAndroid Build Coastguard Worker // trust checks, if unset. It returns one on success and zero if |purpose| is 3254*8fb009dcSAndroid Build Coastguard Worker // not a valid purpose value. |purpose| should be an |X509_PURPOSE_*| constant. 3255*8fb009dcSAndroid Build Coastguard Worker // If so, it configures |ctx| with a purpose check of |purpose| and a trust 3256*8fb009dcSAndroid Build Coastguard Worker // check of |purpose|'s corresponding trust value. If either the purpose or 3257*8fb009dcSAndroid Build Coastguard Worker // trust check had already been specified for |ctx|, that corresponding 3258*8fb009dcSAndroid Build Coastguard Worker // modification is silently dropped. 3259*8fb009dcSAndroid Build Coastguard Worker // 3260*8fb009dcSAndroid Build Coastguard Worker // See |X509_VERIFY_PARAM_set_purpose| and |X509_VERIFY_PARAM_set_trust| for 3261*8fb009dcSAndroid Build Coastguard Worker // details on the purpose and trust checks, respectively. 3262*8fb009dcSAndroid Build Coastguard Worker // 3263*8fb009dcSAndroid Build Coastguard Worker // If |purpose| is |X509_PURPOSE_ANY|, this function returns an error because it 3264*8fb009dcSAndroid Build Coastguard Worker // has no corresponding |X509_TRUST_*| value. It is not possible to set 3265*8fb009dcSAndroid Build Coastguard Worker // |X509_PURPOSE_ANY| with this function, only |X509_VERIFY_PARAM_set_purpose|. 3266*8fb009dcSAndroid Build Coastguard Worker // 3267*8fb009dcSAndroid Build Coastguard Worker // WARNING: Unlike similarly named functions in this header, this function 3268*8fb009dcSAndroid Build Coastguard Worker // silently does not behave the same as |X509_VERIFY_PARAM_set_purpose|. Callers 3269*8fb009dcSAndroid Build Coastguard Worker // may use |X509_VERIFY_PARAM_set_purpose| with |X509_STORE_CTX_get0_param| to 3270*8fb009dcSAndroid Build Coastguard Worker // avoid this difference. 3271*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); 3272*8fb009dcSAndroid Build Coastguard Worker 3273*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set_trust configures |ctx|'s trust check, if unset. It returns 3274*8fb009dcSAndroid Build Coastguard Worker // one on success and zero if |trust| is not a valid trust value. |trust| should 3275*8fb009dcSAndroid Build Coastguard Worker // be an |X509_TRUST_*| constant. If so, it configures |ctx| with a trust check 3276*8fb009dcSAndroid Build Coastguard Worker // of |trust|. If the trust check had already been specified for |ctx|, it 3277*8fb009dcSAndroid Build Coastguard Worker // silently does nothing. 3278*8fb009dcSAndroid Build Coastguard Worker // 3279*8fb009dcSAndroid Build Coastguard Worker // See |X509_VERIFY_PARAM_set_trust| for details on the purpose and trust check. 3280*8fb009dcSAndroid Build Coastguard Worker // 3281*8fb009dcSAndroid Build Coastguard Worker // WARNING: Unlike similarly named functions in this header, this function 3282*8fb009dcSAndroid Build Coastguard Worker // does not behave the same as |X509_VERIFY_PARAM_set_trust|. Callers may use 3283*8fb009dcSAndroid Build Coastguard Worker // |X509_VERIFY_PARAM_set_trust| with |X509_STORE_CTX_get0_param| to avoid this 3284*8fb009dcSAndroid Build Coastguard Worker // difference. 3285*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); 3286*8fb009dcSAndroid Build Coastguard Worker 3287*8fb009dcSAndroid Build Coastguard Worker 3288*8fb009dcSAndroid Build Coastguard Worker // Verification parameters. 3289*8fb009dcSAndroid Build Coastguard Worker // 3290*8fb009dcSAndroid Build Coastguard Worker // An |X509_VERIFY_PARAM| contains a set of parameters for certificate 3291*8fb009dcSAndroid Build Coastguard Worker // verification. 3292*8fb009dcSAndroid Build Coastguard Worker 3293*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_new returns a newly-allocated |X509_VERIFY_PARAM|, or NULL 3294*8fb009dcSAndroid Build Coastguard Worker // on error. 3295*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); 3296*8fb009dcSAndroid Build Coastguard Worker 3297*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_free releases memory associated with |param|. 3298*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); 3299*8fb009dcSAndroid Build Coastguard Worker 3300*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_inherit applies |from| as the default values for |to|. That 3301*8fb009dcSAndroid Build Coastguard Worker // is, for each parameter that is unset in |to|, it copies the value in |from|. 3302*8fb009dcSAndroid Build Coastguard Worker // This function returns one on success and zero on error. 3303*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, 3304*8fb009dcSAndroid Build Coastguard Worker const X509_VERIFY_PARAM *from); 3305*8fb009dcSAndroid Build Coastguard Worker 3306*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set1 copies parameters from |from| to |to|. If a parameter 3307*8fb009dcSAndroid Build Coastguard Worker // is unset in |from|, the existing value in |to| is preserved. This function 3308*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. 3309*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, 3310*8fb009dcSAndroid Build Coastguard Worker const X509_VERIFY_PARAM *from); 3311*8fb009dcSAndroid Build Coastguard Worker 3312*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_* are flags for |X509_VERIFY_PARAM_set_flags| and 3313*8fb009dcSAndroid Build Coastguard Worker // |X509_VERIFY_PARAM_clear_flags|. 3314*8fb009dcSAndroid Build Coastguard Worker 3315*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_CB_ISSUER_CHECK causes the deprecated verify callback (see 3316*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_set_verify_cb|) to be called for errors while matching 3317*8fb009dcSAndroid Build Coastguard Worker // subject and issuer certificates. 3318*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_CB_ISSUER_CHECK 0x1 3319*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_USE_CHECK_TIME is an internal flag used to track whether 3320*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_set_time| has been used. If cleared, the system time is 3321*8fb009dcSAndroid Build Coastguard Worker // restored. 3322*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_USE_CHECK_TIME 0x2 3323*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_CRL_CHECK enables CRL lookup and checking for the leaf. 3324*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_CRL_CHECK 0x4 3325*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_CRL_CHECK_ALL enables CRL lookup and checking for the entire 3326*8fb009dcSAndroid Build Coastguard Worker // certificate chain. |X509_V_FLAG_CRL_CHECK| must be set for this flag to take 3327*8fb009dcSAndroid Build Coastguard Worker // effect. 3328*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_CRL_CHECK_ALL 0x8 3329*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_IGNORE_CRITICAL ignores unhandled critical extensions. Do not use 3330*8fb009dcSAndroid Build Coastguard Worker // this option. Critical extensions ensure the verifier does not bypass 3331*8fb009dcSAndroid Build Coastguard Worker // unrecognized security restrictions in certificates. 3332*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_IGNORE_CRITICAL 0x10 3333*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_X509_STRICT does nothing. Its functionality has been enabled by 3334*8fb009dcSAndroid Build Coastguard Worker // default. 3335*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_X509_STRICT 0x00 3336*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_ALLOW_PROXY_CERTS does nothing. Proxy certificate support has 3337*8fb009dcSAndroid Build Coastguard Worker // been removed. 3338*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 3339*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_POLICY_CHECK does nothing. Policy checking is always enabled. 3340*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_POLICY_CHECK 0x80 3341*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_EXPLICIT_POLICY requires some policy OID to be asserted by the 3342*8fb009dcSAndroid Build Coastguard Worker // final certificate chain. See initial-explicit-policy from RFC 5280, 3343*8fb009dcSAndroid Build Coastguard Worker // section 6.1.1. 3344*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_EXPLICIT_POLICY 0x100 3345*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_INHIBIT_ANY inhibits the anyPolicy OID. See 3346*8fb009dcSAndroid Build Coastguard Worker // initial-any-policy-inhibit from RFC 5280, section 6.1.1. 3347*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_INHIBIT_ANY 0x200 3348*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_INHIBIT_MAP inhibits policy mapping. See 3349*8fb009dcSAndroid Build Coastguard Worker // initial-policy-mapping-inhibit from RFC 5280, section 6.1.1. 3350*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_INHIBIT_MAP 0x400 3351*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_NOTIFY_POLICY does nothing. Its functionality has been removed. 3352*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_NOTIFY_POLICY 0x800 3353*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_EXTENDED_CRL_SUPPORT causes all verifications to fail. Extended 3354*8fb009dcSAndroid Build Coastguard Worker // CRL features have been removed. 3355*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 3356*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_USE_DELTAS causes all verifications to fail. Delta CRL support 3357*8fb009dcSAndroid Build Coastguard Worker // has been removed. 3358*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_USE_DELTAS 0x2000 3359*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_CHECK_SS_SIGNATURE checks the redundant signature on self-signed 3360*8fb009dcSAndroid Build Coastguard Worker // trust anchors. This check provides no security benefit and only wastes CPU. 3361*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 3362*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_TRUSTED_FIRST, during path-building, checks for a match in the 3363*8fb009dcSAndroid Build Coastguard Worker // trust store before considering an untrusted intermediate. This flag is 3364*8fb009dcSAndroid Build Coastguard Worker // enabled by default. 3365*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_TRUSTED_FIRST 0x8000 3366*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_PARTIAL_CHAIN treats all trusted certificates as trust anchors, 3367*8fb009dcSAndroid Build Coastguard Worker // independent of the |X509_VERIFY_PARAM_set_trust| setting. 3368*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_PARTIAL_CHAIN 0x80000 3369*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_NO_ALT_CHAINS disables building alternative chains if the initial 3370*8fb009dcSAndroid Build Coastguard Worker // one was rejected. 3371*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_NO_ALT_CHAINS 0x100000 3372*8fb009dcSAndroid Build Coastguard Worker // X509_V_FLAG_NO_CHECK_TIME disables all time checks in certificate 3373*8fb009dcSAndroid Build Coastguard Worker // verification. 3374*8fb009dcSAndroid Build Coastguard Worker #define X509_V_FLAG_NO_CHECK_TIME 0x200000 3375*8fb009dcSAndroid Build Coastguard Worker 3376*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set_flags enables all values in |flags| in |param|'s 3377*8fb009dcSAndroid Build Coastguard Worker // verification flags and returns one. |flags| should be a combination of 3378*8fb009dcSAndroid Build Coastguard Worker // |X509_V_FLAG_*| constants. 3379*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, 3380*8fb009dcSAndroid Build Coastguard Worker unsigned long flags); 3381*8fb009dcSAndroid Build Coastguard Worker 3382*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_clear_flags disables all values in |flags| in |param|'s 3383*8fb009dcSAndroid Build Coastguard Worker // verification flags and returns one. |flags| should be a combination of 3384*8fb009dcSAndroid Build Coastguard Worker // |X509_V_FLAG_*| constants. 3385*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, 3386*8fb009dcSAndroid Build Coastguard Worker unsigned long flags); 3387*8fb009dcSAndroid Build Coastguard Worker 3388*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_get_flags returns |param|'s verification flags. 3389*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( 3390*8fb009dcSAndroid Build Coastguard Worker const X509_VERIFY_PARAM *param); 3391*8fb009dcSAndroid Build Coastguard Worker 3392*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set_depth configures |param| to limit certificate chains to 3393*8fb009dcSAndroid Build Coastguard Worker // |depth| intermediate certificates. This count excludes both the target 3394*8fb009dcSAndroid Build Coastguard Worker // certificate and the trust anchor (root certificate). 3395*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, 3396*8fb009dcSAndroid Build Coastguard Worker int depth); 3397*8fb009dcSAndroid Build Coastguard Worker 3398*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_get_depth returns the maximum depth configured in |param|. 3399*8fb009dcSAndroid Build Coastguard Worker // See |X509_VERIFY_PARAM_set_depth|. 3400*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); 3401*8fb009dcSAndroid Build Coastguard Worker 3402*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set_time configures certificate verification to use |t| 3403*8fb009dcSAndroid Build Coastguard Worker // instead of the current time. 3404*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, 3405*8fb009dcSAndroid Build Coastguard Worker time_t t); 3406*8fb009dcSAndroid Build Coastguard Worker 3407*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set_time_posix configures certificate verification to use 3408*8fb009dcSAndroid Build Coastguard Worker // |t| instead of the current time. |t| is interpreted as a POSIX timestamp in 3409*8fb009dcSAndroid Build Coastguard Worker // seconds. 3410*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param, 3411*8fb009dcSAndroid Build Coastguard Worker int64_t t); 3412*8fb009dcSAndroid Build Coastguard Worker 3413*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_add0_policy adds |policy| to the user-initial-policy-set 3414*8fb009dcSAndroid Build Coastguard Worker // (see Section 6.1.1 of RFC 5280). On success, it takes ownership of 3415*8fb009dcSAndroid Build Coastguard Worker // |policy| and returns one. Otherwise, it returns zero and the caller retains 3416*8fb009dcSAndroid Build Coastguard Worker // owneship of |policy|. 3417*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, 3418*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *policy); 3419*8fb009dcSAndroid Build Coastguard Worker 3420*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set1_policies sets the user-initial-policy-set (see 3421*8fb009dcSAndroid Build Coastguard Worker // Section 6.1.1 of RFC 5280) to a copy of |policies|. It returns one on success 3422*8fb009dcSAndroid Build Coastguard Worker // and zero on error. 3423*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( 3424*8fb009dcSAndroid Build Coastguard Worker X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies); 3425*8fb009dcSAndroid Build Coastguard Worker 3426*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set1_host configures |param| to check for the DNS name 3427*8fb009dcSAndroid Build Coastguard Worker // specified by |name|. It returns one on success and zero on error. 3428*8fb009dcSAndroid Build Coastguard Worker // 3429*8fb009dcSAndroid Build Coastguard Worker // By default, both subject alternative names and the subject's common name 3430*8fb009dcSAndroid Build Coastguard Worker // attribute are checked. The latter has long been deprecated, so callers should 3431*8fb009dcSAndroid Build Coastguard Worker // call |X509_VERIFY_PARAM_set_hostflags| with 3432*8fb009dcSAndroid Build Coastguard Worker // |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. 3433*8fb009dcSAndroid Build Coastguard Worker // https://crbug.com/boringssl/464 tracks fixing the default. 3434*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, 3435*8fb009dcSAndroid Build Coastguard Worker const char *name, 3436*8fb009dcSAndroid Build Coastguard Worker size_t name_len); 3437*8fb009dcSAndroid Build Coastguard Worker 3438*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_add1_host adds |name| to the list of names checked by 3439*8fb009dcSAndroid Build Coastguard Worker // |param|. If any configured DNS name matches the certificate, verification 3440*8fb009dcSAndroid Build Coastguard Worker // succeeds. It returns one on success and zero on error. 3441*8fb009dcSAndroid Build Coastguard Worker // 3442*8fb009dcSAndroid Build Coastguard Worker // By default, both subject alternative names and the subject's common name 3443*8fb009dcSAndroid Build Coastguard Worker // attribute are checked. The latter has long been deprecated, so callers should 3444*8fb009dcSAndroid Build Coastguard Worker // call |X509_VERIFY_PARAM_set_hostflags| with 3445*8fb009dcSAndroid Build Coastguard Worker // |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. 3446*8fb009dcSAndroid Build Coastguard Worker // https://crbug.com/boringssl/464 tracks fixing the default. 3447*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, 3448*8fb009dcSAndroid Build Coastguard Worker const char *name, 3449*8fb009dcSAndroid Build Coastguard Worker size_t name_len); 3450*8fb009dcSAndroid Build Coastguard Worker 3451*8fb009dcSAndroid Build Coastguard Worker // X509_CHECK_FLAG_NO_WILDCARDS disables wildcard matching for DNS names. 3452*8fb009dcSAndroid Build Coastguard Worker #define X509_CHECK_FLAG_NO_WILDCARDS 0x2 3453*8fb009dcSAndroid Build Coastguard Worker 3454*8fb009dcSAndroid Build Coastguard Worker // X509_CHECK_FLAG_NEVER_CHECK_SUBJECT disables the subject fallback, normally 3455*8fb009dcSAndroid Build Coastguard Worker // enabled when subjectAltNames is missing. 3456*8fb009dcSAndroid Build Coastguard Worker #define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 3457*8fb009dcSAndroid Build Coastguard Worker 3458*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set_hostflags sets the name-checking flags on |param| to 3459*8fb009dcSAndroid Build Coastguard Worker // |flags|. |flags| should be a combination of |X509_CHECK_FLAG_*| constants. 3460*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, 3461*8fb009dcSAndroid Build Coastguard Worker unsigned int flags); 3462*8fb009dcSAndroid Build Coastguard Worker 3463*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set1_email configures |param| to check for the email 3464*8fb009dcSAndroid Build Coastguard Worker // address specified by |email|. It returns one on success and zero on error. 3465*8fb009dcSAndroid Build Coastguard Worker // 3466*8fb009dcSAndroid Build Coastguard Worker // By default, both subject alternative names and the subject's email address 3467*8fb009dcSAndroid Build Coastguard Worker // attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be 3468*8fb009dcSAndroid Build Coastguard Worker // used to change this behavior. 3469*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, 3470*8fb009dcSAndroid Build Coastguard Worker const char *email, 3471*8fb009dcSAndroid Build Coastguard Worker size_t email_len); 3472*8fb009dcSAndroid Build Coastguard Worker 3473*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set1_ip configures |param| to check for the IP address 3474*8fb009dcSAndroid Build Coastguard Worker // specified by |ip|. It returns one on success and zero on error. The IP 3475*8fb009dcSAndroid Build Coastguard Worker // address is specified in its binary representation. |ip_len| must be 4 for an 3476*8fb009dcSAndroid Build Coastguard Worker // IPv4 address and 16 for an IPv6 address. 3477*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, 3478*8fb009dcSAndroid Build Coastguard Worker const uint8_t *ip, size_t ip_len); 3479*8fb009dcSAndroid Build Coastguard Worker 3480*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set1_ip_asc decodes |ipasc| as the ASCII representation of 3481*8fb009dcSAndroid Build Coastguard Worker // an IPv4 or IPv6 address, and configures |param| to check for it. It returns 3482*8fb009dcSAndroid Build Coastguard Worker // one on success and zero on error. 3483*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, 3484*8fb009dcSAndroid Build Coastguard Worker const char *ipasc); 3485*8fb009dcSAndroid Build Coastguard Worker 3486*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_SSL_CLIENT validates TLS client certificates. It checks for the 3487*8fb009dcSAndroid Build Coastguard Worker // id-kp-clientAuth EKU and one of digitalSignature or keyAgreement key usages. 3488*8fb009dcSAndroid Build Coastguard Worker // The TLS library is expected to check for the key usage specific to the 3489*8fb009dcSAndroid Build Coastguard Worker // negotiated TLS parameters. 3490*8fb009dcSAndroid Build Coastguard Worker #define X509_PURPOSE_SSL_CLIENT 1 3491*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_SSL_SERVER validates TLS server certificates. It checks for the 3492*8fb009dcSAndroid Build Coastguard Worker // id-kp-clientAuth EKU and one of digitalSignature, keyAgreement, or 3493*8fb009dcSAndroid Build Coastguard Worker // keyEncipherment key usages. The TLS library is expected to check for the key 3494*8fb009dcSAndroid Build Coastguard Worker // usage specific to the negotiated TLS parameters. 3495*8fb009dcSAndroid Build Coastguard Worker #define X509_PURPOSE_SSL_SERVER 2 3496*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_NS_SSL_SERVER is a legacy mode. It behaves like 3497*8fb009dcSAndroid Build Coastguard Worker // |X509_PURPOSE_SSL_SERVER|, but only accepts the keyEncipherment key usage, 3498*8fb009dcSAndroid Build Coastguard Worker // used by SSL 2.0 and RSA key exchange. Do not use this. 3499*8fb009dcSAndroid Build Coastguard Worker #define X509_PURPOSE_NS_SSL_SERVER 3 3500*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_SMIME_SIGN validates S/MIME signing certificates. It checks for 3501*8fb009dcSAndroid Build Coastguard Worker // the id-kp-emailProtection EKU and one of digitalSignature or nonRepudiation 3502*8fb009dcSAndroid Build Coastguard Worker // key usages. 3503*8fb009dcSAndroid Build Coastguard Worker #define X509_PURPOSE_SMIME_SIGN 4 3504*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_SMIME_ENCRYPT validates S/MIME encryption certificates. It 3505*8fb009dcSAndroid Build Coastguard Worker // checks for the id-kp-emailProtection EKU and keyEncipherment key usage. 3506*8fb009dcSAndroid Build Coastguard Worker #define X509_PURPOSE_SMIME_ENCRYPT 5 3507*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_CRL_SIGN validates indirect CRL signers. It checks for the 3508*8fb009dcSAndroid Build Coastguard Worker // cRLSign key usage. BoringSSL does not support indirect CRLs and does not use 3509*8fb009dcSAndroid Build Coastguard Worker // this mode. 3510*8fb009dcSAndroid Build Coastguard Worker #define X509_PURPOSE_CRL_SIGN 6 3511*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_ANY performs no EKU or key usage checks. Such checks are the 3512*8fb009dcSAndroid Build Coastguard Worker // responsibility of the caller. 3513*8fb009dcSAndroid Build Coastguard Worker #define X509_PURPOSE_ANY 7 3514*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_OCSP_HELPER performs no EKU or key usage checks. It was 3515*8fb009dcSAndroid Build Coastguard Worker // historically used in OpenSSL's OCSP implementation, which left those checks 3516*8fb009dcSAndroid Build Coastguard Worker // to the OCSP implementation itself. 3517*8fb009dcSAndroid Build Coastguard Worker #define X509_PURPOSE_OCSP_HELPER 8 3518*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_TIMESTAMP_SIGN validates Time Stamping Authority (RFC 3161) 3519*8fb009dcSAndroid Build Coastguard Worker // certificates. It checks for the id-kp-timeStamping EKU and one of 3520*8fb009dcSAndroid Build Coastguard Worker // digitalSignature or nonRepudiation key usages. It additionally checks that 3521*8fb009dcSAndroid Build Coastguard Worker // the EKU extension is critical and that no other EKUs or key usages are 3522*8fb009dcSAndroid Build Coastguard Worker // asserted. 3523*8fb009dcSAndroid Build Coastguard Worker #define X509_PURPOSE_TIMESTAMP_SIGN 9 3524*8fb009dcSAndroid Build Coastguard Worker 3525*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set_purpose configures |param| to validate certificates for 3526*8fb009dcSAndroid Build Coastguard Worker // a specified purpose. It returns one on success and zero if |purpose| is not a 3527*8fb009dcSAndroid Build Coastguard Worker // valid purpose type. |purpose| should be one of the |X509_PURPOSE_*| values. 3528*8fb009dcSAndroid Build Coastguard Worker // 3529*8fb009dcSAndroid Build Coastguard Worker // This option controls checking the extended key usage (EKU) and key usage 3530*8fb009dcSAndroid Build Coastguard Worker // extensions. These extensions specify how a certificate's public key may be 3531*8fb009dcSAndroid Build Coastguard Worker // used and are important to avoid cross-protocol attacks, particularly in PKIs 3532*8fb009dcSAndroid Build Coastguard Worker // that may issue certificates for multiple protocols, or for protocols that use 3533*8fb009dcSAndroid Build Coastguard Worker // keys in multiple ways. If not configured, these security checks are the 3534*8fb009dcSAndroid Build Coastguard Worker // caller's responsibility. 3535*8fb009dcSAndroid Build Coastguard Worker // 3536*8fb009dcSAndroid Build Coastguard Worker // This library applies the EKU checks to all untrusted intermediates. Although 3537*8fb009dcSAndroid Build Coastguard Worker // not defined in RFC 5280, this matches widely-deployed practice. It also does 3538*8fb009dcSAndroid Build Coastguard Worker // not accept anyExtendedKeyUsage. 3539*8fb009dcSAndroid Build Coastguard Worker // 3540*8fb009dcSAndroid Build Coastguard Worker // Many purpose values have a corresponding trust value, which is not configured 3541*8fb009dcSAndroid Build Coastguard Worker // by this function. See |X509_VERIFY_PARAM_set_trust| for details. Callers 3542*8fb009dcSAndroid Build Coastguard Worker // that wish to configure both should either call both functions, or use 3543*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_set_purpose|. 3544*8fb009dcSAndroid Build Coastguard Worker // 3545*8fb009dcSAndroid Build Coastguard Worker // It is currently not possible to configure custom EKU OIDs or key usage bits. 3546*8fb009dcSAndroid Build Coastguard Worker // Contact the BoringSSL maintainers if your application needs to do so. OpenSSL 3547*8fb009dcSAndroid Build Coastguard Worker // had an |X509_PURPOSE_add| API, but it was not thread-safe and relied on 3548*8fb009dcSAndroid Build Coastguard Worker // global mutable state, so we removed it. 3549*8fb009dcSAndroid Build Coastguard Worker // 3550*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): This function additionally configures checking the legacy 3551*8fb009dcSAndroid Build Coastguard Worker // Netscape certificate type extension. Remove this. 3552*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, 3553*8fb009dcSAndroid Build Coastguard Worker int purpose); 3554*8fb009dcSAndroid Build Coastguard Worker 3555*8fb009dcSAndroid Build Coastguard Worker // X509_TRUST_COMPAT evaluates trust using only the self-signed fallback. Trust 3556*8fb009dcSAndroid Build Coastguard Worker // and distrust OIDs are ignored. 3557*8fb009dcSAndroid Build Coastguard Worker #define X509_TRUST_COMPAT 1 3558*8fb009dcSAndroid Build Coastguard Worker // X509_TRUST_SSL_CLIENT evaluates trust with the |NID_client_auth| OID, for 3559*8fb009dcSAndroid Build Coastguard Worker // validating TLS client certificates. 3560*8fb009dcSAndroid Build Coastguard Worker #define X509_TRUST_SSL_CLIENT 2 3561*8fb009dcSAndroid Build Coastguard Worker // X509_TRUST_SSL_SERVER evaluates trust with the |NID_server_auth| OID, for 3562*8fb009dcSAndroid Build Coastguard Worker // validating TLS server certificates. 3563*8fb009dcSAndroid Build Coastguard Worker #define X509_TRUST_SSL_SERVER 3 3564*8fb009dcSAndroid Build Coastguard Worker // X509_TRUST_EMAIL evaluates trust with the |NID_email_protect| OID, for 3565*8fb009dcSAndroid Build Coastguard Worker // validating S/MIME email certificates. 3566*8fb009dcSAndroid Build Coastguard Worker #define X509_TRUST_EMAIL 4 3567*8fb009dcSAndroid Build Coastguard Worker // X509_TRUST_OBJECT_SIGN evaluates trust with the |NID_code_sign| OID, for 3568*8fb009dcSAndroid Build Coastguard Worker // validating code signing certificates. 3569*8fb009dcSAndroid Build Coastguard Worker #define X509_TRUST_OBJECT_SIGN 5 3570*8fb009dcSAndroid Build Coastguard Worker // X509_TRUST_TSA evaluates trust with the |NID_time_stamp| OID, for validating 3571*8fb009dcSAndroid Build Coastguard Worker // Time Stamping Authority (RFC 3161) certificates. 3572*8fb009dcSAndroid Build Coastguard Worker #define X509_TRUST_TSA 8 3573*8fb009dcSAndroid Build Coastguard Worker 3574*8fb009dcSAndroid Build Coastguard Worker // X509_VERIFY_PARAM_set_trust configures which certificates from |X509_STORE| 3575*8fb009dcSAndroid Build Coastguard Worker // are trust anchors. It returns one on success and zero if |trust| is not a 3576*8fb009dcSAndroid Build Coastguard Worker // valid trust value. |trust| should be one of the |X509_TRUST_*| constants. 3577*8fb009dcSAndroid Build Coastguard Worker // This function allows applications to vary trust anchors when the same set of 3578*8fb009dcSAndroid Build Coastguard Worker // trusted certificates is used in multiple contexts. 3579*8fb009dcSAndroid Build Coastguard Worker // 3580*8fb009dcSAndroid Build Coastguard Worker // Two properties determine whether a certificate is a trust anchor: 3581*8fb009dcSAndroid Build Coastguard Worker // 3582*8fb009dcSAndroid Build Coastguard Worker // - Whether it is trusted or distrusted for some OID, via auxiliary information 3583*8fb009dcSAndroid Build Coastguard Worker // configured by |X509_add1_trust_object| or |X509_add1_reject_object|. 3584*8fb009dcSAndroid Build Coastguard Worker // 3585*8fb009dcSAndroid Build Coastguard Worker // - Whether it is "self-signed". That is, whether |X509_get_extension_flags| 3586*8fb009dcSAndroid Build Coastguard Worker // includes |EXFLAG_SS|. The signature itself is not checked. 3587*8fb009dcSAndroid Build Coastguard Worker // 3588*8fb009dcSAndroid Build Coastguard Worker // When this function is called, |trust| determines the OID to check in the 3589*8fb009dcSAndroid Build Coastguard Worker // first case. If the certificate is not explicitly trusted or distrusted for 3590*8fb009dcSAndroid Build Coastguard Worker // any OID, it is trusted if self-signed instead. 3591*8fb009dcSAndroid Build Coastguard Worker // 3592*8fb009dcSAndroid Build Coastguard Worker // If unset, the default behavior is to check for the |NID_anyExtendedKeyUsage| 3593*8fb009dcSAndroid Build Coastguard Worker // OID. If the certificate is not explicitly trusted or distrusted for this OID, 3594*8fb009dcSAndroid Build Coastguard Worker // it is trusted if self-signed instead. Note this slightly differs from the 3595*8fb009dcSAndroid Build Coastguard Worker // above. 3596*8fb009dcSAndroid Build Coastguard Worker // 3597*8fb009dcSAndroid Build Coastguard Worker // If the |X509_V_FLAG_PARTIAL_CHAIN| is set, every certificate from 3598*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE| is a trust anchor, unless it was explicitly distrusted for the 3599*8fb009dcSAndroid Build Coastguard Worker // OID. 3600*8fb009dcSAndroid Build Coastguard Worker // 3601*8fb009dcSAndroid Build Coastguard Worker // It is currently not possible to configure custom trust OIDs. Contact the 3602*8fb009dcSAndroid Build Coastguard Worker // BoringSSL maintainers if your application needs to do so. OpenSSL had an 3603*8fb009dcSAndroid Build Coastguard Worker // |X509_TRUST_add| API, but it was not thread-safe and relied on global mutable 3604*8fb009dcSAndroid Build Coastguard Worker // state, so we removed it. 3605*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, 3606*8fb009dcSAndroid Build Coastguard Worker int trust); 3607*8fb009dcSAndroid Build Coastguard Worker 3608*8fb009dcSAndroid Build Coastguard Worker 3609*8fb009dcSAndroid Build Coastguard Worker // Filesystem-based certificate stores. 3610*8fb009dcSAndroid Build Coastguard Worker // 3611*8fb009dcSAndroid Build Coastguard Worker // An |X509_STORE| may be configured to get its contents from the filesystem. 3612*8fb009dcSAndroid Build Coastguard Worker // This is done by adding |X509_LOOKUP| structures to the |X509_STORE| with 3613*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_add_lookup| and then configuring the |X509_LOOKUP| with paths. 3614*8fb009dcSAndroid Build Coastguard Worker // 3615*8fb009dcSAndroid Build Coastguard Worker // Most cases can use |X509_STORE_load_locations|, which configures the same 3616*8fb009dcSAndroid Build Coastguard Worker // thing but is simpler to use. 3617*8fb009dcSAndroid Build Coastguard Worker 3618*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_load_locations configures |store| to load data from filepaths 3619*8fb009dcSAndroid Build Coastguard Worker // |file| and |dir|. It returns one on success and zero on error. Either of 3620*8fb009dcSAndroid Build Coastguard Worker // |file| or |dir| may be NULL, but at least one must be non-NULL. 3621*8fb009dcSAndroid Build Coastguard Worker // 3622*8fb009dcSAndroid Build Coastguard Worker // If |file| is non-NULL, it loads CRLs and trusted certificates in PEM format 3623*8fb009dcSAndroid Build Coastguard Worker // from the file at |file|, and them to |store|, as in |X509_load_cert_crl_file| 3624*8fb009dcSAndroid Build Coastguard Worker // with |X509_FILETYPE_PEM|. 3625*8fb009dcSAndroid Build Coastguard Worker // 3626*8fb009dcSAndroid Build Coastguard Worker // If |dir| is non-NULL, it configures |store| to load CRLs and trusted 3627*8fb009dcSAndroid Build Coastguard Worker // certificates from the directory at |dir| in PEM format, as in 3628*8fb009dcSAndroid Build Coastguard Worker // |X509_LOOKUP_add_dir| with |X509_FILETYPE_PEM|. 3629*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *store, 3630*8fb009dcSAndroid Build Coastguard Worker const char *file, const char *dir); 3631*8fb009dcSAndroid Build Coastguard Worker 3632*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_add_lookup returns an |X509_LOOKUP| associated with |store| with 3633*8fb009dcSAndroid Build Coastguard Worker // type |method|, or NULL on error. The result is owned by |store|, so callers 3634*8fb009dcSAndroid Build Coastguard Worker // are not expected to free it. This may be used with |X509_LOOKUP_add_dir| or 3635*8fb009dcSAndroid Build Coastguard Worker // |X509_LOOKUP_load_file|, depending on |method|, to configure |store|. 3636*8fb009dcSAndroid Build Coastguard Worker // 3637*8fb009dcSAndroid Build Coastguard Worker // A single |X509_LOOKUP| may be configured with multiple paths, and an 3638*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE| only contains one |X509_LOOKUP| of each type, so there is no 3639*8fb009dcSAndroid Build Coastguard Worker // need to call this function multiple times for a single type. Calling it 3640*8fb009dcSAndroid Build Coastguard Worker // multiple times will return the previous |X509_LOOKUP| of that type. 3641*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_LOOKUP *X509_STORE_add_lookup( 3642*8fb009dcSAndroid Build Coastguard Worker X509_STORE *store, const X509_LOOKUP_METHOD *method); 3643*8fb009dcSAndroid Build Coastguard Worker 3644*8fb009dcSAndroid Build Coastguard Worker // X509_LOOKUP_hash_dir creates |X509_LOOKUP|s that may be used with 3645*8fb009dcSAndroid Build Coastguard Worker // |X509_LOOKUP_add_dir|. 3646*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); 3647*8fb009dcSAndroid Build Coastguard Worker 3648*8fb009dcSAndroid Build Coastguard Worker // X509_LOOKUP_file creates |X509_LOOKUP|s that may be used with 3649*8fb009dcSAndroid Build Coastguard Worker // |X509_LOOKUP_load_file|. 3650*8fb009dcSAndroid Build Coastguard Worker // 3651*8fb009dcSAndroid Build Coastguard Worker // Although this is modeled as an |X509_LOOKUP|, this function is redundant. It 3652*8fb009dcSAndroid Build Coastguard Worker // has the same effect as loading a certificate or CRL from the filesystem, in 3653*8fb009dcSAndroid Build Coastguard Worker // the caller's desired format, and then adding it with |X509_STORE_add_cert| 3654*8fb009dcSAndroid Build Coastguard Worker // and |X509_STORE_add_crl|. 3655*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const X509_LOOKUP_METHOD *X509_LOOKUP_file(void); 3656*8fb009dcSAndroid Build Coastguard Worker 3657*8fb009dcSAndroid Build Coastguard Worker // The following constants are used to specify the format of files in an 3658*8fb009dcSAndroid Build Coastguard Worker // |X509_LOOKUP|. 3659*8fb009dcSAndroid Build Coastguard Worker #define X509_FILETYPE_PEM 1 3660*8fb009dcSAndroid Build Coastguard Worker #define X509_FILETYPE_ASN1 2 3661*8fb009dcSAndroid Build Coastguard Worker #define X509_FILETYPE_DEFAULT 3 3662*8fb009dcSAndroid Build Coastguard Worker 3663*8fb009dcSAndroid Build Coastguard Worker // X509_LOOKUP_load_file calls |X509_load_cert_crl_file|. |lookup| must have 3664*8fb009dcSAndroid Build Coastguard Worker // been constructed with |X509_LOOKUP_file|. 3665*8fb009dcSAndroid Build Coastguard Worker // 3666*8fb009dcSAndroid Build Coastguard Worker // If |type| is |X509_FILETYPE_DEFAULT|, it ignores |file| and instead uses some 3667*8fb009dcSAndroid Build Coastguard Worker // default system path with |X509_FILETYPE_PEM|. See also 3668*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_set_default_paths|. 3669*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_LOOKUP_load_file(X509_LOOKUP *lookup, const char *file, 3670*8fb009dcSAndroid Build Coastguard Worker int type); 3671*8fb009dcSAndroid Build Coastguard Worker 3672*8fb009dcSAndroid Build Coastguard Worker // X509_LOOKUP_add_dir configures |lookup| to load CRLs and trusted certificates 3673*8fb009dcSAndroid Build Coastguard Worker // from the directories in |path|. It returns one on success and zero on error. 3674*8fb009dcSAndroid Build Coastguard Worker // |lookup| must have been constructed with |X509_LOOKUP_hash_dir|. 3675*8fb009dcSAndroid Build Coastguard Worker // 3676*8fb009dcSAndroid Build Coastguard Worker // WARNING: |path| is interpreted as a colon-separated (semicolon-separated on 3677*8fb009dcSAndroid Build Coastguard Worker // Windows) list of paths. It is not possible to configure a path containing the 3678*8fb009dcSAndroid Build Coastguard Worker // separator character. https://crbug.com/boringssl/691 tracks removing this 3679*8fb009dcSAndroid Build Coastguard Worker // behavior. 3680*8fb009dcSAndroid Build Coastguard Worker // 3681*8fb009dcSAndroid Build Coastguard Worker // |type| should be one of the |X509_FILETYPE_*| constants and determines the 3682*8fb009dcSAndroid Build Coastguard Worker // format of the files. If |type| is |X509_FILETYPE_DEFAULT|, |path| is ignored 3683*8fb009dcSAndroid Build Coastguard Worker // and some default system path is used with |X509_FILETYPE_PEM|. See also 3684*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_set_default_paths|. 3685*8fb009dcSAndroid Build Coastguard Worker // 3686*8fb009dcSAndroid Build Coastguard Worker // Trusted certificates should be named HASH.N and CRLs should be 3687*8fb009dcSAndroid Build Coastguard Worker // named HASH.rN. HASH is |X509_NAME_hash| of the certificate subject and CRL 3688*8fb009dcSAndroid Build Coastguard Worker // issuer, respectively, in hexadecimal. N is in decimal and counts hash 3689*8fb009dcSAndroid Build Coastguard Worker // collisions consecutively, starting from zero. For example, "002c0b4f.0" and 3690*8fb009dcSAndroid Build Coastguard Worker // "002c0b4f.r0". 3691*8fb009dcSAndroid Build Coastguard Worker // 3692*8fb009dcSAndroid Build Coastguard Worker // WARNING: Objects from |path| are loaded on demand, but cached in memory on 3693*8fb009dcSAndroid Build Coastguard Worker // the |X509_STORE|. If a CA is removed from the directory, existing 3694*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE|s will continue to trust it. Cache entries are not evicted for 3695*8fb009dcSAndroid Build Coastguard Worker // the lifetime of the |X509_STORE|. 3696*8fb009dcSAndroid Build Coastguard Worker // 3697*8fb009dcSAndroid Build Coastguard Worker // WARNING: This mechanism is also not well-suited for CRL updates. 3698*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE|s rely on this cache and never load the same CRL file twice. CRL 3699*8fb009dcSAndroid Build Coastguard Worker // updates must use a new file, with an incremented suffix, to be reflected in 3700*8fb009dcSAndroid Build Coastguard Worker // existing |X509_STORE|s. However, this means each CRL update will use 3701*8fb009dcSAndroid Build Coastguard Worker // additional storage and memory. Instead, configure inputs that vary per 3702*8fb009dcSAndroid Build Coastguard Worker // verification, such as CRLs, on each |X509_STORE_CTX| separately, using 3703*8fb009dcSAndroid Build Coastguard Worker // functions like |X509_STORE_CTX_set0_crl|. 3704*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *path, 3705*8fb009dcSAndroid Build Coastguard Worker int type); 3706*8fb009dcSAndroid Build Coastguard Worker 3707*8fb009dcSAndroid Build Coastguard Worker // X509_L_* are commands for |X509_LOOKUP_ctrl|. 3708*8fb009dcSAndroid Build Coastguard Worker #define X509_L_FILE_LOAD 1 3709*8fb009dcSAndroid Build Coastguard Worker #define X509_L_ADD_DIR 2 3710*8fb009dcSAndroid Build Coastguard Worker 3711*8fb009dcSAndroid Build Coastguard Worker // X509_LOOKUP_ctrl implements commands on |lookup|. |cmd| specifies the 3712*8fb009dcSAndroid Build Coastguard Worker // command. The other arguments specify the operation in a command-specific way. 3713*8fb009dcSAndroid Build Coastguard Worker // Use |X509_LOOKUP_load_file| or |X509_LOOKUP_add_dir| instead. 3714*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_LOOKUP_ctrl(X509_LOOKUP *lookup, int cmd, 3715*8fb009dcSAndroid Build Coastguard Worker const char *argc, long argl, char **ret); 3716*8fb009dcSAndroid Build Coastguard Worker 3717*8fb009dcSAndroid Build Coastguard Worker // X509_load_cert_file loads trusted certificates from |file| and adds them to 3718*8fb009dcSAndroid Build Coastguard Worker // |lookup|'s |X509_STORE|. It returns one on success and zero on error. 3719*8fb009dcSAndroid Build Coastguard Worker // 3720*8fb009dcSAndroid Build Coastguard Worker // If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded certificate. 3721*8fb009dcSAndroid Build Coastguard Worker // If |type| is |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded 3722*8fb009dcSAndroid Build Coastguard Worker // certificates. |type| may not be |X509_FILETYPE_DEFAULT|. 3723*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_load_cert_file(X509_LOOKUP *lookup, const char *file, 3724*8fb009dcSAndroid Build Coastguard Worker int type); 3725*8fb009dcSAndroid Build Coastguard Worker 3726*8fb009dcSAndroid Build Coastguard Worker // X509_load_crl_file loads CRLs from |file| and add them it to |lookup|'s 3727*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE|. It returns one on success and zero on error. 3728*8fb009dcSAndroid Build Coastguard Worker // 3729*8fb009dcSAndroid Build Coastguard Worker // If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded CRL. If 3730*8fb009dcSAndroid Build Coastguard Worker // |type| is |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded CRLs. 3731*8fb009dcSAndroid Build Coastguard Worker // |type| may not be |X509_FILETYPE_DEFAULT|. 3732*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_load_crl_file(X509_LOOKUP *lookup, const char *file, 3733*8fb009dcSAndroid Build Coastguard Worker int type); 3734*8fb009dcSAndroid Build Coastguard Worker 3735*8fb009dcSAndroid Build Coastguard Worker // X509_load_cert_crl_file loads CRLs and trusted certificates from |file| and 3736*8fb009dcSAndroid Build Coastguard Worker // adds them to |lookup|'s |X509_STORE|. It returns one on success and zero on 3737*8fb009dcSAndroid Build Coastguard Worker // error. 3738*8fb009dcSAndroid Build Coastguard Worker // 3739*8fb009dcSAndroid Build Coastguard Worker // If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded certificate. 3740*8fb009dcSAndroid Build Coastguard Worker // This function cannot be used to load a DER-encoded CRL. If |type| is 3741*8fb009dcSAndroid Build Coastguard Worker // |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded certificates and 3742*8fb009dcSAndroid Build Coastguard Worker // CRLs. |type| may not be |X509_FILETYPE_DEFAULT|. 3743*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_load_cert_crl_file(X509_LOOKUP *lookup, 3744*8fb009dcSAndroid Build Coastguard Worker const char *file, int type); 3745*8fb009dcSAndroid Build Coastguard Worker 3746*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_hash returns a hash of |name|, or zero on error. This is the new 3747*8fb009dcSAndroid Build Coastguard Worker // hash used by |X509_LOOKUP_add_dir|. 3748*8fb009dcSAndroid Build Coastguard Worker // 3749*8fb009dcSAndroid Build Coastguard Worker // This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is 3750*8fb009dcSAndroid Build Coastguard Worker // not suitable for general-purpose X.509 name processing. It is very short, so 3751*8fb009dcSAndroid Build Coastguard Worker // there will be hash collisions. It also depends on an OpenSSL-specific 3752*8fb009dcSAndroid Build Coastguard Worker // canonicalization process. 3753*8fb009dcSAndroid Build Coastguard Worker // 3754*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This should be const and thread-safe 3755*8fb009dcSAndroid Build Coastguard Worker // but currently is neither, notably if |name| was modified from its parsed 3756*8fb009dcSAndroid Build Coastguard Worker // value. 3757*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT uint32_t X509_NAME_hash(X509_NAME *name); 3758*8fb009dcSAndroid Build Coastguard Worker 3759*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_hash_old returns a hash of |name|, or zero on error. This is the 3760*8fb009dcSAndroid Build Coastguard Worker // legacy hash used by |X509_LOOKUP_add_dir|, which is still supported for 3761*8fb009dcSAndroid Build Coastguard Worker // compatibility. 3762*8fb009dcSAndroid Build Coastguard Worker // 3763*8fb009dcSAndroid Build Coastguard Worker // This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is 3764*8fb009dcSAndroid Build Coastguard Worker // not suitable for general-purpose X.509 name processing. It is very short, so 3765*8fb009dcSAndroid Build Coastguard Worker // there will be hash collisions. 3766*8fb009dcSAndroid Build Coastguard Worker // 3767*8fb009dcSAndroid Build Coastguard Worker // TODO(https://crbug.com/boringssl/407): This should be const and thread-safe 3768*8fb009dcSAndroid Build Coastguard Worker // but currently is neither, notably if |name| was modified from its parsed 3769*8fb009dcSAndroid Build Coastguard Worker // value. 3770*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT uint32_t X509_NAME_hash_old(X509_NAME *name); 3771*8fb009dcSAndroid Build Coastguard Worker 3772*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_set_default_paths configures |store| to read from some "default" 3773*8fb009dcSAndroid Build Coastguard Worker // filesystem paths. It returns one on success and zero on error. The filesystem 3774*8fb009dcSAndroid Build Coastguard Worker // paths are determined by a combination of hardcoded paths and the SSL_CERT_DIR 3775*8fb009dcSAndroid Build Coastguard Worker // and SSL_CERT_FILE environment variables. 3776*8fb009dcSAndroid Build Coastguard Worker // 3777*8fb009dcSAndroid Build Coastguard Worker // Using this function is not recommended. In OpenSSL, these defaults are 3778*8fb009dcSAndroid Build Coastguard Worker // determined by OpenSSL's install prefix. There is no corresponding concept for 3779*8fb009dcSAndroid Build Coastguard Worker // BoringSSL. Future versions of BoringSSL may change or remove this 3780*8fb009dcSAndroid Build Coastguard Worker // functionality. 3781*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *store); 3782*8fb009dcSAndroid Build Coastguard Worker 3783*8fb009dcSAndroid Build Coastguard Worker // The following functions return filesystem paths used to determine the above 3784*8fb009dcSAndroid Build Coastguard Worker // "default" paths, when the corresponding environment variables are not set. 3785*8fb009dcSAndroid Build Coastguard Worker // 3786*8fb009dcSAndroid Build Coastguard Worker // Using these functions is not recommended. In OpenSSL, these defaults are 3787*8fb009dcSAndroid Build Coastguard Worker // determined by OpenSSL's install prefix. There is no corresponding concept for 3788*8fb009dcSAndroid Build Coastguard Worker // BoringSSL. Future versions of BoringSSL may change or remove this 3789*8fb009dcSAndroid Build Coastguard Worker // functionality. 3790*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const char *X509_get_default_cert_area(void); 3791*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); 3792*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const char *X509_get_default_cert_file(void); 3793*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const char *X509_get_default_private_dir(void); 3794*8fb009dcSAndroid Build Coastguard Worker 3795*8fb009dcSAndroid Build Coastguard Worker // X509_get_default_cert_dir_env returns "SSL_CERT_DIR", an environment variable 3796*8fb009dcSAndroid Build Coastguard Worker // used to determine the above "default" paths. 3797*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void); 3798*8fb009dcSAndroid Build Coastguard Worker 3799*8fb009dcSAndroid Build Coastguard Worker // X509_get_default_cert_file_env returns "SSL_CERT_FILE", an environment 3800*8fb009dcSAndroid Build Coastguard Worker // variable used to determine the above "default" paths. 3801*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void); 3802*8fb009dcSAndroid Build Coastguard Worker 3803*8fb009dcSAndroid Build Coastguard Worker 3804*8fb009dcSAndroid Build Coastguard Worker // SignedPublicKeyAndChallenge structures. 3805*8fb009dcSAndroid Build Coastguard Worker // 3806*8fb009dcSAndroid Build Coastguard Worker // The SignedPublicKeyAndChallenge (SPKAC) is a legacy structure to request 3807*8fb009dcSAndroid Build Coastguard Worker // certificates, primarily in the legacy <keygen> HTML tag. An SPKAC structure 3808*8fb009dcSAndroid Build Coastguard Worker // is represented by a |NETSCAPE_SPKI| structure. 3809*8fb009dcSAndroid Build Coastguard Worker // 3810*8fb009dcSAndroid Build Coastguard Worker // The structure is described in 3811*8fb009dcSAndroid Build Coastguard Worker // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen 3812*8fb009dcSAndroid Build Coastguard Worker 3813*8fb009dcSAndroid Build Coastguard Worker // A Netscape_spki_st, or |NETSCAPE_SPKI|, represents a 3814*8fb009dcSAndroid Build Coastguard Worker // SignedPublicKeyAndChallenge structure. Although this structure contains a 3815*8fb009dcSAndroid Build Coastguard Worker // |spkac| field of type |NETSCAPE_SPKAC|, these are misnamed. The SPKAC is the 3816*8fb009dcSAndroid Build Coastguard Worker // entire structure, not the signed portion. 3817*8fb009dcSAndroid Build Coastguard Worker struct Netscape_spki_st { 3818*8fb009dcSAndroid Build Coastguard Worker NETSCAPE_SPKAC *spkac; 3819*8fb009dcSAndroid Build Coastguard Worker X509_ALGOR *sig_algor; 3820*8fb009dcSAndroid Build Coastguard Worker ASN1_BIT_STRING *signature; 3821*8fb009dcSAndroid Build Coastguard Worker } /* NETSCAPE_SPKI */; 3822*8fb009dcSAndroid Build Coastguard Worker 3823*8fb009dcSAndroid Build Coastguard Worker // NETSCAPE_SPKI_new returns a newly-allocated, empty |NETSCAPE_SPKI| object, or 3824*8fb009dcSAndroid Build Coastguard Worker // NULL on error. 3825*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); 3826*8fb009dcSAndroid Build Coastguard Worker 3827*8fb009dcSAndroid Build Coastguard Worker // NETSCAPE_SPKI_free releases memory associated with |spki|. 3828*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void NETSCAPE_SPKI_free(NETSCAPE_SPKI *spki); 3829*8fb009dcSAndroid Build Coastguard Worker 3830*8fb009dcSAndroid Build Coastguard Worker // d2i_NETSCAPE_SPKI parses up to |len| bytes from |*inp| as a DER-encoded 3831*8fb009dcSAndroid Build Coastguard Worker // SignedPublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. 3832*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **out, 3833*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, long len); 3834*8fb009dcSAndroid Build Coastguard Worker 3835*8fb009dcSAndroid Build Coastguard Worker // i2d_NETSCAPE_SPKI marshals |spki| as a DER-encoded 3836*8fb009dcSAndroid Build Coastguard Worker // SignedPublicKeyAndChallenge structure, as described in |i2d_SAMPLE|. 3837*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_NETSCAPE_SPKI(const NETSCAPE_SPKI *spki, uint8_t **outp); 3838*8fb009dcSAndroid Build Coastguard Worker 3839*8fb009dcSAndroid Build Coastguard Worker // NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It 3840*8fb009dcSAndroid Build Coastguard Worker // returns one if the signature is valid and zero otherwise. 3841*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); 3842*8fb009dcSAndroid Build Coastguard Worker 3843*8fb009dcSAndroid Build Coastguard Worker // NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded 3844*8fb009dcSAndroid Build Coastguard Worker // SignedPublicKeyAndChallenge structure. It returns a newly-allocated 3845*8fb009dcSAndroid Build Coastguard Worker // |NETSCAPE_SPKI| structure with the result, or NULL on error. If |len| is 0 or 3846*8fb009dcSAndroid Build Coastguard Worker // negative, the length is calculated with |strlen| and |str| must be a 3847*8fb009dcSAndroid Build Coastguard Worker // NUL-terminated C string. 3848*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, 3849*8fb009dcSAndroid Build Coastguard Worker ossl_ssize_t len); 3850*8fb009dcSAndroid Build Coastguard Worker 3851*8fb009dcSAndroid Build Coastguard Worker // NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded 3852*8fb009dcSAndroid Build Coastguard Worker // SignedPublicKeyAndChallenge structure. It returns a newly-allocated 3853*8fb009dcSAndroid Build Coastguard Worker // NUL-terminated C string with the result, or NULL on error. The caller must 3854*8fb009dcSAndroid Build Coastguard Worker // release the memory with |OPENSSL_free| when done. 3855*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki); 3856*8fb009dcSAndroid Build Coastguard Worker 3857*8fb009dcSAndroid Build Coastguard Worker // NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an 3858*8fb009dcSAndroid Build Coastguard Worker // |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting 3859*8fb009dcSAndroid Build Coastguard Worker // pointer and must call |EVP_PKEY_free| when done. 3860*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(const NETSCAPE_SPKI *spki); 3861*8fb009dcSAndroid Build Coastguard Worker 3862*8fb009dcSAndroid Build Coastguard Worker // NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one 3863*8fb009dcSAndroid Build Coastguard Worker // on success or zero on error. This function does not take ownership of |pkey|, 3864*8fb009dcSAndroid Build Coastguard Worker // so the caller may continue to manage its lifetime independently of |spki|. 3865*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki, 3866*8fb009dcSAndroid Build Coastguard Worker EVP_PKEY *pkey); 3867*8fb009dcSAndroid Build Coastguard Worker 3868*8fb009dcSAndroid Build Coastguard Worker // NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature 3869*8fb009dcSAndroid Build Coastguard Worker // algorithm and signature fields. It returns the length of the signature on 3870*8fb009dcSAndroid Build Coastguard Worker // success and zero on error. This function uses digest algorithm |md|, or 3871*8fb009dcSAndroid Build Coastguard Worker // |pkey|'s default if NULL. Other signing parameters use |pkey|'s defaults. 3872*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey, 3873*8fb009dcSAndroid Build Coastguard Worker const EVP_MD *md); 3874*8fb009dcSAndroid Build Coastguard Worker 3875*8fb009dcSAndroid Build Coastguard Worker // A Netscape_spkac_st, or |NETSCAPE_SPKAC|, represents a PublicKeyAndChallenge 3876*8fb009dcSAndroid Build Coastguard Worker // structure. This type is misnamed. The full SPKAC includes the signature, 3877*8fb009dcSAndroid Build Coastguard Worker // which is represented with the |NETSCAPE_SPKI| type. 3878*8fb009dcSAndroid Build Coastguard Worker struct Netscape_spkac_st { 3879*8fb009dcSAndroid Build Coastguard Worker X509_PUBKEY *pubkey; 3880*8fb009dcSAndroid Build Coastguard Worker ASN1_IA5STRING *challenge; 3881*8fb009dcSAndroid Build Coastguard Worker } /* NETSCAPE_SPKAC */; 3882*8fb009dcSAndroid Build Coastguard Worker 3883*8fb009dcSAndroid Build Coastguard Worker // NETSCAPE_SPKAC_new returns a newly-allocated, empty |NETSCAPE_SPKAC| object, 3884*8fb009dcSAndroid Build Coastguard Worker // or NULL on error. 3885*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void); 3886*8fb009dcSAndroid Build Coastguard Worker 3887*8fb009dcSAndroid Build Coastguard Worker // NETSCAPE_SPKAC_free releases memory associated with |spkac|. 3888*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *spkac); 3889*8fb009dcSAndroid Build Coastguard Worker 3890*8fb009dcSAndroid Build Coastguard Worker // d2i_NETSCAPE_SPKAC parses up to |len| bytes from |*inp| as a DER-encoded 3891*8fb009dcSAndroid Build Coastguard Worker // PublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. 3892*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **out, 3893*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, 3894*8fb009dcSAndroid Build Coastguard Worker long len); 3895*8fb009dcSAndroid Build Coastguard Worker 3896*8fb009dcSAndroid Build Coastguard Worker // i2d_NETSCAPE_SPKAC marshals |spkac| as a DER-encoded PublicKeyAndChallenge 3897*8fb009dcSAndroid Build Coastguard Worker // structure, as described in |i2d_SAMPLE|. 3898*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac, 3899*8fb009dcSAndroid Build Coastguard Worker uint8_t **outp); 3900*8fb009dcSAndroid Build Coastguard Worker 3901*8fb009dcSAndroid Build Coastguard Worker 3902*8fb009dcSAndroid Build Coastguard Worker // RSASSA-PSS Parameters. 3903*8fb009dcSAndroid Build Coastguard Worker // 3904*8fb009dcSAndroid Build Coastguard Worker // In X.509, RSASSA-PSS signatures and keys use a complex parameter structure, 3905*8fb009dcSAndroid Build Coastguard Worker // defined in RFC 4055. The following functions are provided for compatibility 3906*8fb009dcSAndroid Build Coastguard Worker // with some OpenSSL APIs relating to this. Use of RSASSA-PSS in X.509 is 3907*8fb009dcSAndroid Build Coastguard Worker // discouraged. The parameters structure is very complex, and it takes more 3908*8fb009dcSAndroid Build Coastguard Worker // bytes to merely encode parameters than an entire P-256 ECDSA signature. 3909*8fb009dcSAndroid Build Coastguard Worker 3910*8fb009dcSAndroid Build Coastguard Worker // An rsa_pss_params_st, aka |RSA_PSS_PARAMS|, represents a parsed 3911*8fb009dcSAndroid Build Coastguard Worker // RSASSA-PSS-params structure, as defined in (RFC 4055). 3912*8fb009dcSAndroid Build Coastguard Worker struct rsa_pss_params_st { 3913*8fb009dcSAndroid Build Coastguard Worker X509_ALGOR *hashAlgorithm; 3914*8fb009dcSAndroid Build Coastguard Worker X509_ALGOR *maskGenAlgorithm; 3915*8fb009dcSAndroid Build Coastguard Worker ASN1_INTEGER *saltLength; 3916*8fb009dcSAndroid Build Coastguard Worker ASN1_INTEGER *trailerField; 3917*8fb009dcSAndroid Build Coastguard Worker // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the 3918*8fb009dcSAndroid Build Coastguard Worker // cases apply to BoringSSL, so this is always NULL, but Node expects the 3919*8fb009dcSAndroid Build Coastguard Worker // field to be present. 3920*8fb009dcSAndroid Build Coastguard Worker X509_ALGOR *maskHash; 3921*8fb009dcSAndroid Build Coastguard Worker } /* RSA_PSS_PARAMS */; 3922*8fb009dcSAndroid Build Coastguard Worker 3923*8fb009dcSAndroid Build Coastguard Worker // RSA_PSS_PARAMS is an |ASN1_ITEM| whose ASN.1 type is RSASSA-PSS-params (RFC 3924*8fb009dcSAndroid Build Coastguard Worker // 4055) and C type is |RSA_PSS_PARAMS*|. 3925*8fb009dcSAndroid Build Coastguard Worker DECLARE_ASN1_ITEM(RSA_PSS_PARAMS) 3926*8fb009dcSAndroid Build Coastguard Worker 3927*8fb009dcSAndroid Build Coastguard Worker // RSA_PSS_PARAMS_new returns a new, empty |RSA_PSS_PARAMS|, or NULL on error. 3928*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT RSA_PSS_PARAMS *RSA_PSS_PARAMS_new(void); 3929*8fb009dcSAndroid Build Coastguard Worker 3930*8fb009dcSAndroid Build Coastguard Worker // RSA_PSS_PARAMS_free releases memory associated with |params|. 3931*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *params); 3932*8fb009dcSAndroid Build Coastguard Worker 3933*8fb009dcSAndroid Build Coastguard Worker // d2i_RSA_PSS_PARAMS parses up to |len| bytes from |*inp| as a DER-encoded 3934*8fb009dcSAndroid Build Coastguard Worker // RSASSA-PSS-params (RFC 4055), as described in |d2i_SAMPLE|. 3935*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT RSA_PSS_PARAMS *d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **out, 3936*8fb009dcSAndroid Build Coastguard Worker const uint8_t **inp, 3937*8fb009dcSAndroid Build Coastguard Worker long len); 3938*8fb009dcSAndroid Build Coastguard Worker 3939*8fb009dcSAndroid Build Coastguard Worker // i2d_RSA_PSS_PARAMS marshals |in| as a DER-encoded RSASSA-PSS-params (RFC 3940*8fb009dcSAndroid Build Coastguard Worker // 4055), as described in |i2d_SAMPLE|. 3941*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_RSA_PSS_PARAMS(const RSA_PSS_PARAMS *in, uint8_t **outp); 3942*8fb009dcSAndroid Build Coastguard Worker 3943*8fb009dcSAndroid Build Coastguard Worker 3944*8fb009dcSAndroid Build Coastguard Worker // PKCS#8 private keys. 3945*8fb009dcSAndroid Build Coastguard Worker // 3946*8fb009dcSAndroid Build Coastguard Worker // The |PKCS8_PRIV_KEY_INFO| type represents a PKCS#8 PrivateKeyInfo (RFC 5208) 3947*8fb009dcSAndroid Build Coastguard Worker // structure. This is analogous to SubjectPublicKeyInfo and uses the same 3948*8fb009dcSAndroid Build Coastguard Worker // AlgorithmIdentifiers, but carries private keys and is not part of X.509 3949*8fb009dcSAndroid Build Coastguard Worker // itself. 3950*8fb009dcSAndroid Build Coastguard Worker // 3951*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Do these functions really belong in this header? 3952*8fb009dcSAndroid Build Coastguard Worker 3953*8fb009dcSAndroid Build Coastguard Worker // PKCS8_PRIV_KEY_INFO_new returns a newly-allocated, empty 3954*8fb009dcSAndroid Build Coastguard Worker // |PKCS8_PRIV_KEY_INFO| object, or NULL on error. 3955*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void); 3956*8fb009dcSAndroid Build Coastguard Worker 3957*8fb009dcSAndroid Build Coastguard Worker // PKCS8_PRIV_KEY_INFO_free releases memory associated with |key|. 3958*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *key); 3959*8fb009dcSAndroid Build Coastguard Worker 3960*8fb009dcSAndroid Build Coastguard Worker // d2i_PKCS8_PRIV_KEY_INFO parses up to |len| bytes from |*inp| as a DER-encoded 3961*8fb009dcSAndroid Build Coastguard Worker // PrivateKeyInfo, as described in |d2i_SAMPLE|. 3962*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO( 3963*8fb009dcSAndroid Build Coastguard Worker PKCS8_PRIV_KEY_INFO **out, const uint8_t **inp, long len); 3964*8fb009dcSAndroid Build Coastguard Worker 3965*8fb009dcSAndroid Build Coastguard Worker // i2d_PKCS8_PRIV_KEY_INFO marshals |key| as a DER-encoded PrivateKeyInfo, as 3966*8fb009dcSAndroid Build Coastguard Worker // described in |i2d_SAMPLE|. 3967*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO(const PKCS8_PRIV_KEY_INFO *key, 3968*8fb009dcSAndroid Build Coastguard Worker uint8_t **outp); 3969*8fb009dcSAndroid Build Coastguard Worker 3970*8fb009dcSAndroid Build Coastguard Worker // EVP_PKCS82PKEY returns |p8| as a newly-allocated |EVP_PKEY|, or NULL if the 3971*8fb009dcSAndroid Build Coastguard Worker // key was unsupported or could not be decoded. The caller must release the 3972*8fb009dcSAndroid Build Coastguard Worker // result with |EVP_PKEY_free| when done. 3973*8fb009dcSAndroid Build Coastguard Worker // 3974*8fb009dcSAndroid Build Coastguard Worker // Use |EVP_parse_private_key| instead. 3975*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8); 3976*8fb009dcSAndroid Build Coastguard Worker 3977*8fb009dcSAndroid Build Coastguard Worker // EVP_PKEY2PKCS8 encodes |pkey| as a PKCS#8 PrivateKeyInfo (RFC 5208), 3978*8fb009dcSAndroid Build Coastguard Worker // represented as a newly-allocated |PKCS8_PRIV_KEY_INFO|, or NULL on error. The 3979*8fb009dcSAndroid Build Coastguard Worker // caller must release the result with |PKCS8_PRIV_KEY_INFO_free| when done. 3980*8fb009dcSAndroid Build Coastguard Worker // 3981*8fb009dcSAndroid Build Coastguard Worker // Use |EVP_marshal_private_key| instead. 3982*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey); 3983*8fb009dcSAndroid Build Coastguard Worker 3984*8fb009dcSAndroid Build Coastguard Worker 3985*8fb009dcSAndroid Build Coastguard Worker // Algorithm and octet string pairs. 3986*8fb009dcSAndroid Build Coastguard Worker // 3987*8fb009dcSAndroid Build Coastguard Worker // The |X509_SIG| type represents an ASN.1 SEQUENCE type of an 3988*8fb009dcSAndroid Build Coastguard Worker // AlgorithmIdentifier and an OCTET STRING. Although named |X509_SIG|, there is 3989*8fb009dcSAndroid Build Coastguard Worker // no type in X.509 which matches this format. The two common types which do are 3990*8fb009dcSAndroid Build Coastguard Worker // DigestInfo (RFC 2315 and RFC 8017), and EncryptedPrivateKeyInfo (RFC 5208). 3991*8fb009dcSAndroid Build Coastguard Worker 3992*8fb009dcSAndroid Build Coastguard Worker // X509_SIG_new returns a newly-allocated, empty |X509_SIG| object, or NULL on 3993*8fb009dcSAndroid Build Coastguard Worker // error. 3994*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_SIG *X509_SIG_new(void); 3995*8fb009dcSAndroid Build Coastguard Worker 3996*8fb009dcSAndroid Build Coastguard Worker // X509_SIG_free releases memory associated with |key|. 3997*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_SIG_free(X509_SIG *key); 3998*8fb009dcSAndroid Build Coastguard Worker 3999*8fb009dcSAndroid Build Coastguard Worker // d2i_X509_SIG parses up to |len| bytes from |*inp| as a DER-encoded algorithm 4000*8fb009dcSAndroid Build Coastguard Worker // and octet string pair, as described in |d2i_SAMPLE|. 4001*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_SIG *d2i_X509_SIG(X509_SIG **out, const uint8_t **inp, 4002*8fb009dcSAndroid Build Coastguard Worker long len); 4003*8fb009dcSAndroid Build Coastguard Worker 4004*8fb009dcSAndroid Build Coastguard Worker // i2d_X509_SIG marshals |sig| as a DER-encoded algorithm 4005*8fb009dcSAndroid Build Coastguard Worker // and octet string pair, as described in |i2d_SAMPLE|. 4006*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_SIG(const X509_SIG *sig, uint8_t **outp); 4007*8fb009dcSAndroid Build Coastguard Worker 4008*8fb009dcSAndroid Build Coastguard Worker // X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to 4009*8fb009dcSAndroid Build Coastguard Worker // |sig|'s algorithm and digest fields, respectively. Either |out_alg| and 4010*8fb009dcSAndroid Build Coastguard Worker // |out_digest| may be NULL to skip those fields. 4011*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig, 4012*8fb009dcSAndroid Build Coastguard Worker const X509_ALGOR **out_alg, 4013*8fb009dcSAndroid Build Coastguard Worker const ASN1_OCTET_STRING **out_digest); 4014*8fb009dcSAndroid Build Coastguard Worker 4015*8fb009dcSAndroid Build Coastguard Worker // X509_SIG_getm behaves like |X509_SIG_get0| but returns mutable pointers. 4016*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, 4017*8fb009dcSAndroid Build Coastguard Worker ASN1_OCTET_STRING **out_digest); 4018*8fb009dcSAndroid Build Coastguard Worker 4019*8fb009dcSAndroid Build Coastguard Worker 4020*8fb009dcSAndroid Build Coastguard Worker // Printing functions. 4021*8fb009dcSAndroid Build Coastguard Worker // 4022*8fb009dcSAndroid Build Coastguard Worker // The following functions output human-readable representations of 4023*8fb009dcSAndroid Build Coastguard Worker // X.509-related structures. They should only be used for debugging or logging 4024*8fb009dcSAndroid Build Coastguard Worker // and not parsed programmatically. In many cases, the outputs are ambiguous, so 4025*8fb009dcSAndroid Build Coastguard Worker // attempting to parse them can lead to string injection vulnerabilities. 4026*8fb009dcSAndroid Build Coastguard Worker 4027*8fb009dcSAndroid Build Coastguard Worker // The following flags control |X509_print_ex| and |X509_REQ_print_ex|. These 4028*8fb009dcSAndroid Build Coastguard Worker // flags co-exist with |X509V3_EXT_*|, so avoid collisions when adding new ones. 4029*8fb009dcSAndroid Build Coastguard Worker 4030*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_COMPAT disables all flags. It additionally causes names to be 4031*8fb009dcSAndroid Build Coastguard Worker // printed with a 16-byte indent. 4032*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_COMPAT 0 4033*8fb009dcSAndroid Build Coastguard Worker 4034*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_HEADER skips a header identifying the type of object printed. 4035*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_HEADER 1L 4036*8fb009dcSAndroid Build Coastguard Worker 4037*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_VERSION skips printing the X.509 version number. 4038*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_VERSION (1L << 1) 4039*8fb009dcSAndroid Build Coastguard Worker 4040*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_SERIAL skips printing the serial number. It is ignored in 4041*8fb009dcSAndroid Build Coastguard Worker // |X509_REQ_print_fp|. 4042*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_SERIAL (1L << 2) 4043*8fb009dcSAndroid Build Coastguard Worker 4044*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_SIGNAME skips printing the signature algorithm in the 4045*8fb009dcSAndroid Build Coastguard Worker // TBSCertificate. It is ignored in |X509_REQ_print_fp|. 4046*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_SIGNAME (1L << 3) 4047*8fb009dcSAndroid Build Coastguard Worker 4048*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_ISSUER skips printing the issuer. 4049*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_ISSUER (1L << 4) 4050*8fb009dcSAndroid Build Coastguard Worker 4051*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_VALIDITY skips printing the notBefore and notAfter times. It is 4052*8fb009dcSAndroid Build Coastguard Worker // ignored in |X509_REQ_print_fp|. 4053*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_VALIDITY (1L << 5) 4054*8fb009dcSAndroid Build Coastguard Worker 4055*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_SUBJECT skips printing the subject. 4056*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_SUBJECT (1L << 6) 4057*8fb009dcSAndroid Build Coastguard Worker 4058*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_PUBKEY skips printing the public key. 4059*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_PUBKEY (1L << 7) 4060*8fb009dcSAndroid Build Coastguard Worker 4061*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_EXTENSIONS skips printing the extension list. It is ignored in 4062*8fb009dcSAndroid Build Coastguard Worker // |X509_REQ_print_fp|. CSRs instead have attributes, which is controlled by 4063*8fb009dcSAndroid Build Coastguard Worker // |X509_FLAG_NO_ATTRIBUTES|. 4064*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_EXTENSIONS (1L << 8) 4065*8fb009dcSAndroid Build Coastguard Worker 4066*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_SIGDUMP skips printing the signature and outer signature 4067*8fb009dcSAndroid Build Coastguard Worker // algorithm. 4068*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_SIGDUMP (1L << 9) 4069*8fb009dcSAndroid Build Coastguard Worker 4070*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_AUX skips printing auxiliary properties. (See |d2i_X509_AUX| and 4071*8fb009dcSAndroid Build Coastguard Worker // related functions.) 4072*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_AUX (1L << 10) 4073*8fb009dcSAndroid Build Coastguard Worker 4074*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_ATTRIBUTES skips printing CSR attributes. It does nothing for 4075*8fb009dcSAndroid Build Coastguard Worker // certificates and CRLs. 4076*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_ATTRIBUTES (1L << 11) 4077*8fb009dcSAndroid Build Coastguard Worker 4078*8fb009dcSAndroid Build Coastguard Worker // X509_FLAG_NO_IDS skips printing the issuerUniqueID and subjectUniqueID in a 4079*8fb009dcSAndroid Build Coastguard Worker // certificate. It is ignored in |X509_REQ_print_fp|. 4080*8fb009dcSAndroid Build Coastguard Worker #define X509_FLAG_NO_IDS (1L << 12) 4081*8fb009dcSAndroid Build Coastguard Worker 4082*8fb009dcSAndroid Build Coastguard Worker // The following flags control |X509_print_ex|, |X509_REQ_print_ex|, 4083*8fb009dcSAndroid Build Coastguard Worker // |X509V3_EXT_print|, and |X509V3_extensions_print|. These flags coexist with 4084*8fb009dcSAndroid Build Coastguard Worker // |X509_FLAG_*|, so avoid collisions when adding new ones. 4085*8fb009dcSAndroid Build Coastguard Worker 4086*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_UNKNOWN_MASK is a mask that determines how unknown extensions are 4087*8fb009dcSAndroid Build Coastguard Worker // processed. 4088*8fb009dcSAndroid Build Coastguard Worker #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) 4089*8fb009dcSAndroid Build Coastguard Worker 4090*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_DEFAULT causes unknown extensions or syntax errors to return 4091*8fb009dcSAndroid Build Coastguard Worker // failure. 4092*8fb009dcSAndroid Build Coastguard Worker #define X509V3_EXT_DEFAULT 0 4093*8fb009dcSAndroid Build Coastguard Worker 4094*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_ERROR_UNKNOWN causes unknown extensions or syntax errors to print 4095*8fb009dcSAndroid Build Coastguard Worker // as "<Not Supported>" or "<Parse Error>", respectively. 4096*8fb009dcSAndroid Build Coastguard Worker #define X509V3_EXT_ERROR_UNKNOWN (1L << 16) 4097*8fb009dcSAndroid Build Coastguard Worker 4098*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_PARSE_UNKNOWN is deprecated and behaves like 4099*8fb009dcSAndroid Build Coastguard Worker // |X509V3_EXT_DUMP_UNKNOWN|. 4100*8fb009dcSAndroid Build Coastguard Worker #define X509V3_EXT_PARSE_UNKNOWN (2L << 16) 4101*8fb009dcSAndroid Build Coastguard Worker 4102*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_DUMP_UNKNOWN causes unknown extensions to be displayed as a 4103*8fb009dcSAndroid Build Coastguard Worker // hexdump. 4104*8fb009dcSAndroid Build Coastguard Worker #define X509V3_EXT_DUMP_UNKNOWN (3L << 16) 4105*8fb009dcSAndroid Build Coastguard Worker 4106*8fb009dcSAndroid Build Coastguard Worker // X509_print_ex writes a human-readable representation of |x| to |bp|. It 4107*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. |nmflags| is the flags parameter 4108*8fb009dcSAndroid Build Coastguard Worker // for |X509_NAME_print_ex| when printing the subject and issuer. |cflag| should 4109*8fb009dcSAndroid Build Coastguard Worker // be some combination of the |X509_FLAG_*| and |X509V3_EXT_*| constants. 4110*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, 4111*8fb009dcSAndroid Build Coastguard Worker unsigned long cflag); 4112*8fb009dcSAndroid Build Coastguard Worker 4113*8fb009dcSAndroid Build Coastguard Worker // X509_print_ex_fp behaves like |X509_print_ex| but writes to |fp|. 4114*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag, 4115*8fb009dcSAndroid Build Coastguard Worker unsigned long cflag); 4116*8fb009dcSAndroid Build Coastguard Worker 4117*8fb009dcSAndroid Build Coastguard Worker // X509_print calls |X509_print_ex| with |XN_FLAG_COMPAT| and |X509_FLAG_COMPAT| 4118*8fb009dcSAndroid Build Coastguard Worker // flags. 4119*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x); 4120*8fb009dcSAndroid Build Coastguard Worker 4121*8fb009dcSAndroid Build Coastguard Worker // X509_print_fp behaves like |X509_print| but writes to |fp|. 4122*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_print_fp(FILE *fp, X509 *x); 4123*8fb009dcSAndroid Build Coastguard Worker 4124*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_print writes a human-readable representation of |x| to |bp|. It 4125*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. 4126*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x); 4127*8fb009dcSAndroid Build Coastguard Worker 4128*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_print_fp behaves like |X509_CRL_print| but writes to |fp|. 4129*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_print_fp(FILE *fp, X509_CRL *x); 4130*8fb009dcSAndroid Build Coastguard Worker 4131*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_print_ex writes a human-readable representation of |x| to |bp|. It 4132*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. |nmflags| is the flags parameter 4133*8fb009dcSAndroid Build Coastguard Worker // for |X509_NAME_print_ex|, when printing the subject. |cflag| should be some 4134*8fb009dcSAndroid Build Coastguard Worker // combination of the |X509_FLAG_*| and |X509V3_EXT_*| constants. 4135*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, 4136*8fb009dcSAndroid Build Coastguard Worker unsigned long cflag); 4137*8fb009dcSAndroid Build Coastguard Worker 4138*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_print calls |X509_REQ_print_ex| with |XN_FLAG_COMPAT| and 4139*8fb009dcSAndroid Build Coastguard Worker // |X509_FLAG_COMPAT| flags. 4140*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req); 4141*8fb009dcSAndroid Build Coastguard Worker 4142*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_print_fp behaves like |X509_REQ_print| but writes to |fp|. 4143*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_print_fp(FILE *fp, X509_REQ *req); 4144*8fb009dcSAndroid Build Coastguard Worker 4145*8fb009dcSAndroid Build Coastguard Worker // The following flags are control |X509_NAME_print_ex|. They must not collide 4146*8fb009dcSAndroid Build Coastguard Worker // with |ASN1_STRFLGS_*|. 4147*8fb009dcSAndroid Build Coastguard Worker // 4148*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): This is far, far too many options and most of them are 4149*8fb009dcSAndroid Build Coastguard Worker // useless. Trim this down. 4150*8fb009dcSAndroid Build Coastguard Worker 4151*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_COMPAT prints with |X509_NAME_print|'s format and return value 4152*8fb009dcSAndroid Build Coastguard Worker // convention. 4153*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_COMPAT 0ul 4154*8fb009dcSAndroid Build Coastguard Worker 4155*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_SEP_MASK determines the separators to use between attributes. 4156*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_SEP_MASK (0xful << 16) 4157*8fb009dcSAndroid Build Coastguard Worker 4158*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_SEP_COMMA_PLUS separates RDNs with "," and attributes within an RDN 4159*8fb009dcSAndroid Build Coastguard Worker // with "+", as in RFC 2253. 4160*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_SEP_COMMA_PLUS (1ul << 16) 4161*8fb009dcSAndroid Build Coastguard Worker 4162*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_SEP_CPLUS_SPC behaves like |XN_FLAG_SEP_COMMA_PLUS| but adds spaces 4163*8fb009dcSAndroid Build Coastguard Worker // between the separators. 4164*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_SEP_CPLUS_SPC (2ul << 16) 4165*8fb009dcSAndroid Build Coastguard Worker 4166*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_SEP_SPLUS_SPC separates RDNs with "; " and attributes within an RDN 4167*8fb009dcSAndroid Build Coastguard Worker // with " + ". 4168*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_SEP_SPLUS_SPC (3ul << 16) 4169*8fb009dcSAndroid Build Coastguard Worker 4170*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_SEP_MULTILINE prints each attribute on one line. 4171*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_SEP_MULTILINE (4ul << 16) 4172*8fb009dcSAndroid Build Coastguard Worker 4173*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_DN_REV prints RDNs in reverse, from least significant to most 4174*8fb009dcSAndroid Build Coastguard Worker // significant, as RFC 2253. 4175*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_DN_REV (1ul << 20) 4176*8fb009dcSAndroid Build Coastguard Worker 4177*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_FN_MASK determines how attribute types are displayed. 4178*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_FN_MASK (0x3ul << 21) 4179*8fb009dcSAndroid Build Coastguard Worker 4180*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_FN_SN uses the attribute type's short name, when available. 4181*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_FN_SN 0ul 4182*8fb009dcSAndroid Build Coastguard Worker 4183*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_SPC_EQ wraps the "=" operator with spaces when printing attributes. 4184*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_SPC_EQ (1ul << 23) 4185*8fb009dcSAndroid Build Coastguard Worker 4186*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_DUMP_UNKNOWN_FIELDS causes unknown attribute types to be printed in 4187*8fb009dcSAndroid Build Coastguard Worker // hex, as in RFC 2253. 4188*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_DUMP_UNKNOWN_FIELDS (1ul << 24) 4189*8fb009dcSAndroid Build Coastguard Worker 4190*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_RFC2253 prints like RFC 2253. 4191*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_RFC2253 \ 4192*8fb009dcSAndroid Build Coastguard Worker (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \ 4193*8fb009dcSAndroid Build Coastguard Worker XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS) 4194*8fb009dcSAndroid Build Coastguard Worker 4195*8fb009dcSAndroid Build Coastguard Worker // XN_FLAG_ONELINE prints a one-line representation of the name. 4196*8fb009dcSAndroid Build Coastguard Worker #define XN_FLAG_ONELINE \ 4197*8fb009dcSAndroid Build Coastguard Worker (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \ 4198*8fb009dcSAndroid Build Coastguard Worker XN_FLAG_SPC_EQ | XN_FLAG_FN_SN) 4199*8fb009dcSAndroid Build Coastguard Worker 4200*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_print_ex writes a human-readable representation of |nm| to |out|. 4201*8fb009dcSAndroid Build Coastguard Worker // Each line of output is indented by |indent| spaces. It returns the number of 4202*8fb009dcSAndroid Build Coastguard Worker // bytes written on success, and -1 on error. If |out| is NULL, it returns the 4203*8fb009dcSAndroid Build Coastguard Worker // number of bytes it would have written but does not write anything. |flags| 4204*8fb009dcSAndroid Build Coastguard Worker // should be some combination of |XN_FLAG_*| and |ASN1_STRFLGS_*| values and 4205*8fb009dcSAndroid Build Coastguard Worker // determines the output. If unsure, use |XN_FLAG_RFC2253|. 4206*8fb009dcSAndroid Build Coastguard Worker // 4207*8fb009dcSAndroid Build Coastguard Worker // If |flags| is |XN_FLAG_COMPAT|, or zero, this function calls 4208*8fb009dcSAndroid Build Coastguard Worker // |X509_NAME_print| instead. In that case, it returns one on success, rather 4209*8fb009dcSAndroid Build Coastguard Worker // than the output length. 4210*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, 4211*8fb009dcSAndroid Build Coastguard Worker unsigned long flags); 4212*8fb009dcSAndroid Build Coastguard Worker 4213*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_print prints a human-readable representation of |name| to |bp|. It 4214*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. |obase| is ignored. 4215*8fb009dcSAndroid Build Coastguard Worker // 4216*8fb009dcSAndroid Build Coastguard Worker // This function outputs a legacy format that does not correctly handle string 4217*8fb009dcSAndroid Build Coastguard Worker // encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for 4218*8fb009dcSAndroid Build Coastguard Worker // debugging purposes. 4219*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); 4220*8fb009dcSAndroid Build Coastguard Worker 4221*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_oneline writes a human-readable representation to |name| to a 4222*8fb009dcSAndroid Build Coastguard Worker // buffer as a NUL-terminated C string. 4223*8fb009dcSAndroid Build Coastguard Worker // 4224*8fb009dcSAndroid Build Coastguard Worker // If |buf| is NULL, returns a newly-allocated buffer containing the result on 4225*8fb009dcSAndroid Build Coastguard Worker // success, or NULL on error. The buffer must be released with |OPENSSL_free| 4226*8fb009dcSAndroid Build Coastguard Worker // when done. 4227*8fb009dcSAndroid Build Coastguard Worker // 4228*8fb009dcSAndroid Build Coastguard Worker // If |buf| is non-NULL, at most |size| bytes of output are written to |buf| 4229*8fb009dcSAndroid Build Coastguard Worker // instead. |size| includes the trailing NUL. The function then returns |buf| on 4230*8fb009dcSAndroid Build Coastguard Worker // success or NULL on error. If the output does not fit in |size| bytes, the 4231*8fb009dcSAndroid Build Coastguard Worker // output is silently truncated at an attribute boundary. 4232*8fb009dcSAndroid Build Coastguard Worker // 4233*8fb009dcSAndroid Build Coastguard Worker // This function outputs a legacy format that does not correctly handle string 4234*8fb009dcSAndroid Build Coastguard Worker // encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for 4235*8fb009dcSAndroid Build Coastguard Worker // debugging purposes. 4236*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *name, char *buf, int size); 4237*8fb009dcSAndroid Build Coastguard Worker 4238*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_print_ex_fp behaves like |X509_NAME_print_ex| but writes to |fp|. 4239*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, 4240*8fb009dcSAndroid Build Coastguard Worker int indent, unsigned long flags); 4241*8fb009dcSAndroid Build Coastguard Worker 4242*8fb009dcSAndroid Build Coastguard Worker // X509_signature_dump writes a human-readable representation of |sig| to |bio|, 4243*8fb009dcSAndroid Build Coastguard Worker // indented with |indent| spaces. It returns one on success and zero on error. 4244*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig, 4245*8fb009dcSAndroid Build Coastguard Worker int indent); 4246*8fb009dcSAndroid Build Coastguard Worker 4247*8fb009dcSAndroid Build Coastguard Worker // X509_signature_print writes a human-readable representation of |alg| and 4248*8fb009dcSAndroid Build Coastguard Worker // |sig| to |bio|. It returns one on success and zero on error. 4249*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg, 4250*8fb009dcSAndroid Build Coastguard Worker const ASN1_STRING *sig); 4251*8fb009dcSAndroid Build Coastguard Worker 4252*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_print prints a human-readable representation of |ext| to out. It 4253*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. The output is indented by |indent| 4254*8fb009dcSAndroid Build Coastguard Worker // spaces. |flag| is one of the |X509V3_EXT_*| constants and controls printing 4255*8fb009dcSAndroid Build Coastguard Worker // of unknown extensions and syntax errors. 4256*8fb009dcSAndroid Build Coastguard Worker // 4257*8fb009dcSAndroid Build Coastguard Worker // WARNING: Although some applications programmatically parse the output of this 4258*8fb009dcSAndroid Build Coastguard Worker // function to process X.509 extensions, this is not safe. In many cases, the 4259*8fb009dcSAndroid Build Coastguard Worker // outputs are ambiguous to attempting to parse them can lead to string 4260*8fb009dcSAndroid Build Coastguard Worker // injection vulnerabilities. These functions should only be used for debugging 4261*8fb009dcSAndroid Build Coastguard Worker // or logging. 4262*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, 4263*8fb009dcSAndroid Build Coastguard Worker unsigned long flag, int indent); 4264*8fb009dcSAndroid Build Coastguard Worker 4265*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_print_fp behaves like |X509V3_EXT_print| but writes to a |FILE| 4266*8fb009dcSAndroid Build Coastguard Worker // instead of a |BIO|. 4267*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509V3_EXT_print_fp(FILE *out, const X509_EXTENSION *ext, 4268*8fb009dcSAndroid Build Coastguard Worker int flag, int indent); 4269*8fb009dcSAndroid Build Coastguard Worker 4270*8fb009dcSAndroid Build Coastguard Worker // X509V3_extensions_print prints |title|, followed by a human-readable 4271*8fb009dcSAndroid Build Coastguard Worker // representation of |exts| to |out|. It returns one on success and zero on 4272*8fb009dcSAndroid Build Coastguard Worker // error. The output is indented by |indent| spaces. |flag| is one of the 4273*8fb009dcSAndroid Build Coastguard Worker // |X509V3_EXT_*| constants and controls printing of unknown extensions and 4274*8fb009dcSAndroid Build Coastguard Worker // syntax errors. 4275*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509V3_extensions_print(BIO *out, const char *title, 4276*8fb009dcSAndroid Build Coastguard Worker const STACK_OF(X509_EXTENSION) *exts, 4277*8fb009dcSAndroid Build Coastguard Worker unsigned long flag, int indent); 4278*8fb009dcSAndroid Build Coastguard Worker 4279*8fb009dcSAndroid Build Coastguard Worker // GENERAL_NAME_print prints a human-readable representation of |gen| to |out|. 4280*8fb009dcSAndroid Build Coastguard Worker // It returns one on success and zero on error. 4281*8fb009dcSAndroid Build Coastguard Worker // 4282*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Actually, it just returns one and doesn't check for I/O or 4283*8fb009dcSAndroid Build Coastguard Worker // allocation errors. But it should return zero on error. 4284*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, const GENERAL_NAME *gen); 4285*8fb009dcSAndroid Build Coastguard Worker 4286*8fb009dcSAndroid Build Coastguard Worker 4287*8fb009dcSAndroid Build Coastguard Worker // Convenience functions. 4288*8fb009dcSAndroid Build Coastguard Worker 4289*8fb009dcSAndroid Build Coastguard Worker // X509_pubkey_digest hashes the contents of the BIT STRING in |x509|'s 4290*8fb009dcSAndroid Build Coastguard Worker // subjectPublicKeyInfo field with |md| and writes the result to |out|. 4291*8fb009dcSAndroid Build Coastguard Worker // |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. If 4292*8fb009dcSAndroid Build Coastguard Worker // |out_len| is not NULL, |*out_len| is set to the number of bytes written. This 4293*8fb009dcSAndroid Build Coastguard Worker // function returns one on success and zero on error. 4294*8fb009dcSAndroid Build Coastguard Worker // 4295*8fb009dcSAndroid Build Coastguard Worker // This hash omits the BIT STRING tag, length, and number of unused bits. It 4296*8fb009dcSAndroid Build Coastguard Worker // also omits the AlgorithmIdentifier which describes the key type. It 4297*8fb009dcSAndroid Build Coastguard Worker // corresponds to the OCSP KeyHash definition and is not suitable for other 4298*8fb009dcSAndroid Build Coastguard Worker // purposes. 4299*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md, 4300*8fb009dcSAndroid Build Coastguard Worker uint8_t *out, unsigned *out_len); 4301*8fb009dcSAndroid Build Coastguard Worker 4302*8fb009dcSAndroid Build Coastguard Worker // X509_digest hashes |x509|'s DER encoding with |md| and writes the result to 4303*8fb009dcSAndroid Build Coastguard Worker // |out|. |EVP_MD_CTX_size| bytes are written, which is at most 4304*8fb009dcSAndroid Build Coastguard Worker // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 4305*8fb009dcSAndroid Build Coastguard Worker // of bytes written. This function returns one on success and zero on error. 4306*8fb009dcSAndroid Build Coastguard Worker // Note this digest covers the entire certificate, not just the signed portion. 4307*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out, 4308*8fb009dcSAndroid Build Coastguard Worker unsigned *out_len); 4309*8fb009dcSAndroid Build Coastguard Worker 4310*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result 4311*8fb009dcSAndroid Build Coastguard Worker // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most 4312*8fb009dcSAndroid Build Coastguard Worker // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 4313*8fb009dcSAndroid Build Coastguard Worker // of bytes written. This function returns one on success and zero on error. 4314*8fb009dcSAndroid Build Coastguard Worker // Note this digest covers the entire CRL, not just the signed portion. 4315*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md, 4316*8fb009dcSAndroid Build Coastguard Worker uint8_t *out, unsigned *out_len); 4317*8fb009dcSAndroid Build Coastguard Worker 4318*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result 4319*8fb009dcSAndroid Build Coastguard Worker // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most 4320*8fb009dcSAndroid Build Coastguard Worker // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 4321*8fb009dcSAndroid Build Coastguard Worker // of bytes written. This function returns one on success and zero on error. 4322*8fb009dcSAndroid Build Coastguard Worker // Note this digest covers the entire certificate request, not just the signed 4323*8fb009dcSAndroid Build Coastguard Worker // portion. 4324*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md, 4325*8fb009dcSAndroid Build Coastguard Worker uint8_t *out, unsigned *out_len); 4326*8fb009dcSAndroid Build Coastguard Worker 4327*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result 4328*8fb009dcSAndroid Build Coastguard Worker // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most 4329*8fb009dcSAndroid Build Coastguard Worker // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number 4330*8fb009dcSAndroid Build Coastguard Worker // of bytes written. This function returns one on success and zero on error. 4331*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md, 4332*8fb009dcSAndroid Build Coastguard Worker uint8_t *out, unsigned *out_len); 4333*8fb009dcSAndroid Build Coastguard Worker 4334*8fb009dcSAndroid Build Coastguard Worker // The following functions behave like the corresponding unsuffixed |d2i_*| 4335*8fb009dcSAndroid Build Coastguard Worker // functions, but read the result from |bp| instead. Callers using these 4336*8fb009dcSAndroid Build Coastguard Worker // functions with memory |BIO|s to parse structures already in memory should use 4337*8fb009dcSAndroid Build Coastguard Worker // |d2i_*| instead. 4338*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509); 4339*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl); 4340*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req); 4341*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa); 4342*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa); 4343*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa); 4344*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa); 4345*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa); 4346*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey); 4347*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey); 4348*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8); 4349*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio( 4350*8fb009dcSAndroid Build Coastguard Worker BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf); 4351*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); 4352*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh); 4353*8fb009dcSAndroid Build Coastguard Worker 4354*8fb009dcSAndroid Build Coastguard Worker // d2i_PrivateKey_bio behaves like |d2i_AutoPrivateKey|, but reads from |bp| 4355*8fb009dcSAndroid Build Coastguard Worker // instead. 4356*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); 4357*8fb009dcSAndroid Build Coastguard Worker 4358*8fb009dcSAndroid Build Coastguard Worker // The following functions behave like the corresponding unsuffixed |i2d_*| 4359*8fb009dcSAndroid Build Coastguard Worker // functions, but write the result to |bp|. They return one on success and zero 4360*8fb009dcSAndroid Build Coastguard Worker // on error. Callers using them with memory |BIO|s to encode structures to 4361*8fb009dcSAndroid Build Coastguard Worker // memory should use |i2d_*| directly instead. 4362*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509); 4363*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl); 4364*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req); 4365*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa); 4366*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa); 4367*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa); 4368*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa); 4369*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa); 4370*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey); 4371*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey); 4372*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8); 4373*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, 4374*8fb009dcSAndroid Build Coastguard Worker PKCS8_PRIV_KEY_INFO *p8inf); 4375*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey); 4376*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey); 4377*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh); 4378*8fb009dcSAndroid Build Coastguard Worker 4379*8fb009dcSAndroid Build Coastguard Worker // i2d_PKCS8PrivateKeyInfo_bio encodes |key| as a PKCS#8 PrivateKeyInfo 4380*8fb009dcSAndroid Build Coastguard Worker // structure (see |EVP_marshal_private_key|) and writes the result to |bp|. It 4381*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. 4382*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key); 4383*8fb009dcSAndroid Build Coastguard Worker 4384*8fb009dcSAndroid Build Coastguard Worker // The following functions behave like the corresponding |d2i_*_bio| functions, 4385*8fb009dcSAndroid Build Coastguard Worker // but read from |fp| instead. 4386*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509); 4387*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl); 4388*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req); 4389*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa); 4390*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa); 4391*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa); 4392*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa); 4393*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); 4394*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey); 4395*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey); 4396*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8); 4397*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp( 4398*8fb009dcSAndroid Build Coastguard Worker FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf); 4399*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); 4400*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); 4401*8fb009dcSAndroid Build Coastguard Worker 4402*8fb009dcSAndroid Build Coastguard Worker // The following functions behave like the corresponding |i2d_*_bio| functions, 4403*8fb009dcSAndroid Build Coastguard Worker // but write to |fp| instead. 4404*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509); 4405*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl); 4406*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req); 4407*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa); 4408*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa); 4409*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa); 4410*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa); 4411*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); 4412*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey); 4413*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey); 4414*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8); 4415*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, 4416*8fb009dcSAndroid Build Coastguard Worker PKCS8_PRIV_KEY_INFO *p8inf); 4417*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key); 4418*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey); 4419*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey); 4420*8fb009dcSAndroid Build Coastguard Worker 4421*8fb009dcSAndroid Build Coastguard Worker // X509_find_by_issuer_and_serial returns the first |X509| in |sk| whose issuer 4422*8fb009dcSAndroid Build Coastguard Worker // and serial are |name| and |serial|, respectively. If no match is found, it 4423*8fb009dcSAndroid Build Coastguard Worker // returns NULL. 4424*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, 4425*8fb009dcSAndroid Build Coastguard Worker X509_NAME *name, 4426*8fb009dcSAndroid Build Coastguard Worker const ASN1_INTEGER *serial); 4427*8fb009dcSAndroid Build Coastguard Worker 4428*8fb009dcSAndroid Build Coastguard Worker // X509_find_by_subject returns the first |X509| in |sk| whose subject is 4429*8fb009dcSAndroid Build Coastguard Worker // |name|. If no match is found, it returns NULL. 4430*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk, 4431*8fb009dcSAndroid Build Coastguard Worker X509_NAME *name); 4432*8fb009dcSAndroid Build Coastguard Worker 4433*8fb009dcSAndroid Build Coastguard Worker // X509_cmp_time compares |s| against |*t|. On success, it returns a negative 4434*8fb009dcSAndroid Build Coastguard Worker // number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it 4435*8fb009dcSAndroid Build Coastguard Worker // returns zero. If |t| is NULL, it uses the current time instead of |*t|. 4436*8fb009dcSAndroid Build Coastguard Worker // 4437*8fb009dcSAndroid Build Coastguard Worker // WARNING: Unlike most comparison functions, this function returns zero on 4438*8fb009dcSAndroid Build Coastguard Worker // error, not equality. 4439*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, const time_t *t); 4440*8fb009dcSAndroid Build Coastguard Worker 4441*8fb009dcSAndroid Build Coastguard Worker // X509_cmp_time_posix compares |s| against |t|. On success, it returns a 4442*8fb009dcSAndroid Build Coastguard Worker // negative number if |s| <= |t| and a positive number if |s| > |t|. On error, 4443*8fb009dcSAndroid Build Coastguard Worker // it returns zero. 4444*8fb009dcSAndroid Build Coastguard Worker // 4445*8fb009dcSAndroid Build Coastguard Worker // WARNING: Unlike most comparison functions, this function returns zero on 4446*8fb009dcSAndroid Build Coastguard Worker // error, not equality. 4447*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t); 4448*8fb009dcSAndroid Build Coastguard Worker 4449*8fb009dcSAndroid Build Coastguard Worker // X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against 4450*8fb009dcSAndroid Build Coastguard Worker // the current time. 4451*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); 4452*8fb009dcSAndroid Build Coastguard Worker 4453*8fb009dcSAndroid Build Coastguard Worker // X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. 4454*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, 4455*8fb009dcSAndroid Build Coastguard Worker const time_t *t); 4456*8fb009dcSAndroid Build Coastguard Worker 4457*8fb009dcSAndroid Build Coastguard Worker // X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If 4458*8fb009dcSAndroid Build Coastguard Worker // |t| is NULL, it uses the current time instead of |*t|. 4459*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, 4460*8fb009dcSAndroid Build Coastguard Worker long offset_sec, const time_t *t); 4461*8fb009dcSAndroid Build Coastguard Worker 4462*8fb009dcSAndroid Build Coastguard Worker // X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the 4463*8fb009dcSAndroid Build Coastguard Worker // current time. 4464*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); 4465*8fb009dcSAndroid Build Coastguard Worker 4466*8fb009dcSAndroid Build Coastguard Worker // X509_issuer_name_cmp behaves like |X509_NAME_cmp|, but compares |a| and |b|'s 4467*8fb009dcSAndroid Build Coastguard Worker // issuer names. 4468*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b); 4469*8fb009dcSAndroid Build Coastguard Worker 4470*8fb009dcSAndroid Build Coastguard Worker // X509_subject_name_cmp behaves like |X509_NAME_cmp|, but compares |a| and 4471*8fb009dcSAndroid Build Coastguard Worker // |b|'s subject names. 4472*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b); 4473*8fb009dcSAndroid Build Coastguard Worker 4474*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_cmp behaves like |X509_NAME_cmp|, but compares |a| and |b|'s 4475*8fb009dcSAndroid Build Coastguard Worker // issuer names. 4476*8fb009dcSAndroid Build Coastguard Worker // 4477*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function is misnamed. It does not compare other parts of the 4478*8fb009dcSAndroid Build Coastguard Worker // CRL, only the issuer fields using |X509_NAME_cmp|. 4479*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); 4480*8fb009dcSAndroid Build Coastguard Worker 4481*8fb009dcSAndroid Build Coastguard Worker // X509_issuer_name_hash returns the hash of |x509|'s issuer name with 4482*8fb009dcSAndroid Build Coastguard Worker // |X509_NAME_hash|. 4483*8fb009dcSAndroid Build Coastguard Worker // 4484*8fb009dcSAndroid Build Coastguard Worker // This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is 4485*8fb009dcSAndroid Build Coastguard Worker // not suitable for general-purpose X.509 name processing. It is very short, so 4486*8fb009dcSAndroid Build Coastguard Worker // there will be hash collisions. It also depends on an OpenSSL-specific 4487*8fb009dcSAndroid Build Coastguard Worker // canonicalization process. 4488*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT uint32_t X509_issuer_name_hash(X509 *x509); 4489*8fb009dcSAndroid Build Coastguard Worker 4490*8fb009dcSAndroid Build Coastguard Worker // X509_subject_name_hash returns the hash of |x509|'s subject name with 4491*8fb009dcSAndroid Build Coastguard Worker // |X509_NAME_hash|. 4492*8fb009dcSAndroid Build Coastguard Worker // 4493*8fb009dcSAndroid Build Coastguard Worker // This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is 4494*8fb009dcSAndroid Build Coastguard Worker // not suitable for general-purpose X.509 name processing. It is very short, so 4495*8fb009dcSAndroid Build Coastguard Worker // there will be hash collisions. It also depends on an OpenSSL-specific 4496*8fb009dcSAndroid Build Coastguard Worker // canonicalization process. 4497*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT uint32_t X509_subject_name_hash(X509 *x509); 4498*8fb009dcSAndroid Build Coastguard Worker 4499*8fb009dcSAndroid Build Coastguard Worker // X509_issuer_name_hash_old returns the hash of |x509|'s issuer name with 4500*8fb009dcSAndroid Build Coastguard Worker // |X509_NAME_hash_old|. 4501*8fb009dcSAndroid Build Coastguard Worker // 4502*8fb009dcSAndroid Build Coastguard Worker // This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is 4503*8fb009dcSAndroid Build Coastguard Worker // not suitable for general-purpose X.509 name processing. It is very short, so 4504*8fb009dcSAndroid Build Coastguard Worker // there will be hash collisions. 4505*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT uint32_t X509_issuer_name_hash_old(X509 *x509); 4506*8fb009dcSAndroid Build Coastguard Worker 4507*8fb009dcSAndroid Build Coastguard Worker // X509_subject_name_hash_old returns the hash of |x509|'s usjbect name with 4508*8fb009dcSAndroid Build Coastguard Worker // |X509_NAME_hash_old|. 4509*8fb009dcSAndroid Build Coastguard Worker // 4510*8fb009dcSAndroid Build Coastguard Worker // This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is 4511*8fb009dcSAndroid Build Coastguard Worker // not suitable for general-purpose X.509 name processing. It is very short, so 4512*8fb009dcSAndroid Build Coastguard Worker // there will be hash collisions. 4513*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT uint32_t X509_subject_name_hash_old(X509 *x509); 4514*8fb009dcSAndroid Build Coastguard Worker 4515*8fb009dcSAndroid Build Coastguard Worker 4516*8fb009dcSAndroid Build Coastguard Worker // ex_data functions. 4517*8fb009dcSAndroid Build Coastguard Worker // 4518*8fb009dcSAndroid Build Coastguard Worker // See |ex_data.h| for details. 4519*8fb009dcSAndroid Build Coastguard Worker 4520*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp, 4521*8fb009dcSAndroid Build Coastguard Worker CRYPTO_EX_unused *unused, 4522*8fb009dcSAndroid Build Coastguard Worker CRYPTO_EX_dup *dup_unused, 4523*8fb009dcSAndroid Build Coastguard Worker CRYPTO_EX_free *free_func); 4524*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg); 4525*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx); 4526*8fb009dcSAndroid Build Coastguard Worker 4527*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, 4528*8fb009dcSAndroid Build Coastguard Worker CRYPTO_EX_unused *unused, 4529*8fb009dcSAndroid Build Coastguard Worker CRYPTO_EX_dup *dup_unused, 4530*8fb009dcSAndroid Build Coastguard Worker CRYPTO_EX_free *free_func); 4531*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, 4532*8fb009dcSAndroid Build Coastguard Worker void *data); 4533*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx); 4534*8fb009dcSAndroid Build Coastguard Worker 4535*8fb009dcSAndroid Build Coastguard Worker #define X509_STORE_CTX_set_app_data(ctx, data) \ 4536*8fb009dcSAndroid Build Coastguard Worker X509_STORE_CTX_set_ex_data(ctx, 0, data) 4537*8fb009dcSAndroid Build Coastguard Worker #define X509_STORE_CTX_get_app_data(ctx) X509_STORE_CTX_get_ex_data(ctx, 0) 4538*8fb009dcSAndroid Build Coastguard Worker 4539*8fb009dcSAndroid Build Coastguard Worker 4540*8fb009dcSAndroid Build Coastguard Worker // Hashing and signing ASN.1 structures. 4541*8fb009dcSAndroid Build Coastguard Worker 4542*8fb009dcSAndroid Build Coastguard Worker // ASN1_digest serializes |data| with |i2d| and then hashes the result with 4543*8fb009dcSAndroid Build Coastguard Worker // |type|. On success, it returns one, writes the digest to |md|, and sets 4544*8fb009dcSAndroid Build Coastguard Worker // |*len| to the digest length if non-NULL. On error, it returns zero. 4545*8fb009dcSAndroid Build Coastguard Worker // 4546*8fb009dcSAndroid Build Coastguard Worker // |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. The 4547*8fb009dcSAndroid Build Coastguard Worker // buffer must have sufficient space for this output. 4548*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, 4549*8fb009dcSAndroid Build Coastguard Worker unsigned char *md, unsigned int *len); 4550*8fb009dcSAndroid Build Coastguard Worker 4551*8fb009dcSAndroid Build Coastguard Worker // ASN1_item_digest serializes |data| with |it| and then hashes the result with 4552*8fb009dcSAndroid Build Coastguard Worker // |type|. On success, it returns one, writes the digest to |md|, and sets 4553*8fb009dcSAndroid Build Coastguard Worker // |*len| to the digest length if non-NULL. On error, it returns zero. 4554*8fb009dcSAndroid Build Coastguard Worker // 4555*8fb009dcSAndroid Build Coastguard Worker // |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. The 4556*8fb009dcSAndroid Build Coastguard Worker // buffer must have sufficient space for this output. 4557*8fb009dcSAndroid Build Coastguard Worker // 4558*8fb009dcSAndroid Build Coastguard Worker // WARNING: |data| must be a pointer with the same type as |it|'s corresponding 4559*8fb009dcSAndroid Build Coastguard Worker // C type. Using the wrong type is a potentially exploitable memory error. 4560*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, 4561*8fb009dcSAndroid Build Coastguard Worker void *data, unsigned char *md, 4562*8fb009dcSAndroid Build Coastguard Worker unsigned int *len); 4563*8fb009dcSAndroid Build Coastguard Worker 4564*8fb009dcSAndroid Build Coastguard Worker // ASN1_item_verify serializes |data| with |it| and then verifies |signature| is 4565*8fb009dcSAndroid Build Coastguard Worker // a valid signature for the result with |algor1| and |pkey|. It returns one on 4566*8fb009dcSAndroid Build Coastguard Worker // success and zero on error. The signature and algorithm are interpreted as in 4567*8fb009dcSAndroid Build Coastguard Worker // X.509. 4568*8fb009dcSAndroid Build Coastguard Worker // 4569*8fb009dcSAndroid Build Coastguard Worker // WARNING: |data| must be a pointer with the same type as |it|'s corresponding 4570*8fb009dcSAndroid Build Coastguard Worker // C type. Using the wrong type is a potentially exploitable memory error. 4571*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it, 4572*8fb009dcSAndroid Build Coastguard Worker const X509_ALGOR *algor1, 4573*8fb009dcSAndroid Build Coastguard Worker const ASN1_BIT_STRING *signature, 4574*8fb009dcSAndroid Build Coastguard Worker void *data, EVP_PKEY *pkey); 4575*8fb009dcSAndroid Build Coastguard Worker 4576*8fb009dcSAndroid Build Coastguard Worker // ASN1_item_sign serializes |data| with |it| and then signs the result with 4577*8fb009dcSAndroid Build Coastguard Worker // the private key |pkey|. It returns the length of the signature on success and 4578*8fb009dcSAndroid Build Coastguard Worker // zero on error. On success, it writes the signature to |signature| and the 4579*8fb009dcSAndroid Build Coastguard Worker // signature algorithm to each of |algor1| and |algor2|. Either of |algor1| or 4580*8fb009dcSAndroid Build Coastguard Worker // |algor2| may be NULL to ignore them. This function uses digest algorithm 4581*8fb009dcSAndroid Build Coastguard Worker // |md|, or |pkey|'s default if NULL. Other signing parameters use |pkey|'s 4582*8fb009dcSAndroid Build Coastguard Worker // defaults. To customize them, use |ASN1_item_sign_ctx|. 4583*8fb009dcSAndroid Build Coastguard Worker // 4584*8fb009dcSAndroid Build Coastguard Worker // WARNING: |data| must be a pointer with the same type as |it|'s corresponding 4585*8fb009dcSAndroid Build Coastguard Worker // C type. Using the wrong type is a potentially exploitable memory error. 4586*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, 4587*8fb009dcSAndroid Build Coastguard Worker X509_ALGOR *algor2, 4588*8fb009dcSAndroid Build Coastguard Worker ASN1_BIT_STRING *signature, void *data, 4589*8fb009dcSAndroid Build Coastguard Worker EVP_PKEY *pkey, const EVP_MD *type); 4590*8fb009dcSAndroid Build Coastguard Worker 4591*8fb009dcSAndroid Build Coastguard Worker // ASN1_item_sign_ctx behaves like |ASN1_item_sign| except the signature is 4592*8fb009dcSAndroid Build Coastguard Worker // signed with |ctx|, |ctx|, which must have been initialized with 4593*8fb009dcSAndroid Build Coastguard Worker // |EVP_DigestSignInit|. The caller should configure the corresponding 4594*8fb009dcSAndroid Build Coastguard Worker // |EVP_PKEY_CTX| with any additional parameters before calling this function. 4595*8fb009dcSAndroid Build Coastguard Worker // 4596*8fb009dcSAndroid Build Coastguard Worker // On success or failure, this function mutates |ctx| and resets it to the empty 4597*8fb009dcSAndroid Build Coastguard Worker // state. Caller should not rely on its contents after the function returns. 4598*8fb009dcSAndroid Build Coastguard Worker // 4599*8fb009dcSAndroid Build Coastguard Worker // WARNING: |data| must be a pointer with the same type as |it|'s corresponding 4600*8fb009dcSAndroid Build Coastguard Worker // C type. Using the wrong type is a potentially exploitable memory error. 4601*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, 4602*8fb009dcSAndroid Build Coastguard Worker X509_ALGOR *algor2, 4603*8fb009dcSAndroid Build Coastguard Worker ASN1_BIT_STRING *signature, void *asn, 4604*8fb009dcSAndroid Build Coastguard Worker EVP_MD_CTX *ctx); 4605*8fb009dcSAndroid Build Coastguard Worker 4606*8fb009dcSAndroid Build Coastguard Worker 4607*8fb009dcSAndroid Build Coastguard Worker // Verification internals. 4608*8fb009dcSAndroid Build Coastguard Worker // 4609*8fb009dcSAndroid Build Coastguard Worker // The following functions expose portions of certificate validation. They are 4610*8fb009dcSAndroid Build Coastguard Worker // exported for compatibility with existing callers, or to support some obscure 4611*8fb009dcSAndroid Build Coastguard Worker // use cases. Most callers, however, will not need these functions and should 4612*8fb009dcSAndroid Build Coastguard Worker // instead use |X509_STORE_CTX| APIs. 4613*8fb009dcSAndroid Build Coastguard Worker 4614*8fb009dcSAndroid Build Coastguard Worker // X509_supported_extension returns one if |ex| is a critical X.509 certificate 4615*8fb009dcSAndroid Build Coastguard Worker // extension, supported by |X509_verify_cert|, and zero otherwise. 4616*8fb009dcSAndroid Build Coastguard Worker // 4617*8fb009dcSAndroid Build Coastguard Worker // Note this function only reports certificate extensions (as opposed to CRL or 4618*8fb009dcSAndroid Build Coastguard Worker // CRL extensions), and only extensions that are expected to be marked critical. 4619*8fb009dcSAndroid Build Coastguard Worker // Additionally, |X509_verify_cert| checks for unsupported critical extensions 4620*8fb009dcSAndroid Build Coastguard Worker // internally, so most callers will not need to call this function separately. 4621*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_supported_extension(const X509_EXTENSION *ex); 4622*8fb009dcSAndroid Build Coastguard Worker 4623*8fb009dcSAndroid Build Coastguard Worker // X509_check_ca returns one if |x509| may be considered a CA certificate, 4624*8fb009dcSAndroid Build Coastguard Worker // according to basic constraints and key usage extensions. Otherwise, it 4625*8fb009dcSAndroid Build Coastguard Worker // returns zero. If |x509| is an X509v1 certificate, and thus has no extensions, 4626*8fb009dcSAndroid Build Coastguard Worker // it is considered eligible. 4627*8fb009dcSAndroid Build Coastguard Worker // 4628*8fb009dcSAndroid Build Coastguard Worker // This function returning one does not indicate that |x509| is trusted, only 4629*8fb009dcSAndroid Build Coastguard Worker // that it is eligible to be a CA. 4630*8fb009dcSAndroid Build Coastguard Worker // 4631*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/407): |x509| should be const. 4632*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_check_ca(X509 *x509); 4633*8fb009dcSAndroid Build Coastguard Worker 4634*8fb009dcSAndroid Build Coastguard Worker // X509_check_issued checks if |issuer| and |subject|'s name, authority key 4635*8fb009dcSAndroid Build Coastguard Worker // identifier, and key usage fields allow |issuer| to have issued |subject|. It 4636*8fb009dcSAndroid Build Coastguard Worker // returns |X509_V_OK| on success and an |X509_V_ERR_*| value otherwise. 4637*8fb009dcSAndroid Build Coastguard Worker // 4638*8fb009dcSAndroid Build Coastguard Worker // This function does not check the signature on |subject|. Rather, it is 4639*8fb009dcSAndroid Build Coastguard Worker // intended to prune the set of possible issuer certificates during 4640*8fb009dcSAndroid Build Coastguard Worker // path-building. 4641*8fb009dcSAndroid Build Coastguard Worker // 4642*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/407): Both parameters should be const. 4643*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_check_issued(X509 *issuer, X509 *subject); 4644*8fb009dcSAndroid Build Coastguard Worker 4645*8fb009dcSAndroid Build Coastguard Worker // NAME_CONSTRAINTS_check checks if |x509| satisfies name constraints in |nc|. 4646*8fb009dcSAndroid Build Coastguard Worker // It returns |X509_V_OK| on success and some |X509_V_ERR_*| constant on error. 4647*8fb009dcSAndroid Build Coastguard Worker // 4648*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/407): Both parameters should be const. 4649*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int NAME_CONSTRAINTS_check(X509 *x509, NAME_CONSTRAINTS *nc); 4650*8fb009dcSAndroid Build Coastguard Worker 4651*8fb009dcSAndroid Build Coastguard Worker // X509_check_host checks if |x509| matches the DNS name |chk|. It returns one 4652*8fb009dcSAndroid Build Coastguard Worker // on match, zero on mismatch, or a negative number on error. |flags| should be 4653*8fb009dcSAndroid Build Coastguard Worker // some combination of |X509_CHECK_FLAG_*| and modifies the behavior. On match, 4654*8fb009dcSAndroid Build Coastguard Worker // if |out_peername| is non-NULL, it additionally sets |*out_peername| to a 4655*8fb009dcSAndroid Build Coastguard Worker // newly-allocated, NUL-terminated string containing the DNS name or wildcard in 4656*8fb009dcSAndroid Build Coastguard Worker // the certificate which matched. The caller must then free |*out_peername| with 4657*8fb009dcSAndroid Build Coastguard Worker // |OPENSSL_free| when done. 4658*8fb009dcSAndroid Build Coastguard Worker // 4659*8fb009dcSAndroid Build Coastguard Worker // By default, both subject alternative names and the subject's common name 4660*8fb009dcSAndroid Build Coastguard Worker // attribute are checked. The latter has long been deprecated, so callers should 4661*8fb009dcSAndroid Build Coastguard Worker // include |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| in |flags| to use the standard 4662*8fb009dcSAndroid Build Coastguard Worker // behavior. https://crbug.com/boringssl/464 tracks fixing the default. 4663*8fb009dcSAndroid Build Coastguard Worker // 4664*8fb009dcSAndroid Build Coastguard Worker // This function does not check if |x509| is a trusted certificate, only if, 4665*8fb009dcSAndroid Build Coastguard Worker // were it trusted, it would match |chk|. 4666*8fb009dcSAndroid Build Coastguard Worker // 4667*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function differs from the usual calling convention and may 4668*8fb009dcSAndroid Build Coastguard Worker // return either 0 or a negative number on error. 4669*8fb009dcSAndroid Build Coastguard Worker // 4670*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Make the error case also return zero. 4671*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_check_host(const X509 *x509, const char *chk, 4672*8fb009dcSAndroid Build Coastguard Worker size_t chklen, unsigned int flags, 4673*8fb009dcSAndroid Build Coastguard Worker char **out_peername); 4674*8fb009dcSAndroid Build Coastguard Worker 4675*8fb009dcSAndroid Build Coastguard Worker // X509_check_email checks if |x509| matches the email address |chk|. It returns 4676*8fb009dcSAndroid Build Coastguard Worker // one on match, zero on mismatch, or a negative number on error. |flags| should 4677*8fb009dcSAndroid Build Coastguard Worker // be some combination of |X509_CHECK_FLAG_*| and modifies the behavior. 4678*8fb009dcSAndroid Build Coastguard Worker // 4679*8fb009dcSAndroid Build Coastguard Worker // By default, both subject alternative names and the subject's email address 4680*8fb009dcSAndroid Build Coastguard Worker // attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be 4681*8fb009dcSAndroid Build Coastguard Worker // used to change this behavior. 4682*8fb009dcSAndroid Build Coastguard Worker // 4683*8fb009dcSAndroid Build Coastguard Worker // This function does not check if |x509| is a trusted certificate, only if, 4684*8fb009dcSAndroid Build Coastguard Worker // were it trusted, it would match |chk|. 4685*8fb009dcSAndroid Build Coastguard Worker // 4686*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function differs from the usual calling convention and may 4687*8fb009dcSAndroid Build Coastguard Worker // return either 0 or a negative number on error. 4688*8fb009dcSAndroid Build Coastguard Worker // 4689*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Make the error case also return zero. 4690*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_check_email(const X509 *x509, const char *chk, 4691*8fb009dcSAndroid Build Coastguard Worker size_t chklen, unsigned int flags); 4692*8fb009dcSAndroid Build Coastguard Worker 4693*8fb009dcSAndroid Build Coastguard Worker // X509_check_ip checks if |x509| matches the IP address |chk|. The IP address 4694*8fb009dcSAndroid Build Coastguard Worker // is represented in byte form and should be 4 bytes for an IPv4 address and 16 4695*8fb009dcSAndroid Build Coastguard Worker // bytes for an IPv6 address. It returns one on match, zero on mismatch, or a 4696*8fb009dcSAndroid Build Coastguard Worker // negative number on error. |flags| should be some combination of 4697*8fb009dcSAndroid Build Coastguard Worker // |X509_CHECK_FLAG_*| and modifies the behavior. 4698*8fb009dcSAndroid Build Coastguard Worker // 4699*8fb009dcSAndroid Build Coastguard Worker // This function does not check if |x509| is a trusted certificate, only if, 4700*8fb009dcSAndroid Build Coastguard Worker // were it trusted, it would match |chk|. 4701*8fb009dcSAndroid Build Coastguard Worker // 4702*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function differs from the usual calling convention and may 4703*8fb009dcSAndroid Build Coastguard Worker // return either 0 or a negative number on error. 4704*8fb009dcSAndroid Build Coastguard Worker // 4705*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Make the error case also return zero. 4706*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_check_ip(const X509 *x509, const uint8_t *chk, 4707*8fb009dcSAndroid Build Coastguard Worker size_t chklen, unsigned int flags); 4708*8fb009dcSAndroid Build Coastguard Worker 4709*8fb009dcSAndroid Build Coastguard Worker // X509_check_ip_asc behaves like |X509_check_ip| except the IP address is 4710*8fb009dcSAndroid Build Coastguard Worker // specified in textual form in |ipasc|. 4711*8fb009dcSAndroid Build Coastguard Worker // 4712*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function differs from the usual calling convention and may 4713*8fb009dcSAndroid Build Coastguard Worker // return either 0 or a negative number on error. 4714*8fb009dcSAndroid Build Coastguard Worker // 4715*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Make the error case also return zero. 4716*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_check_ip_asc(const X509 *x509, const char *ipasc, 4717*8fb009dcSAndroid Build Coastguard Worker unsigned int flags); 4718*8fb009dcSAndroid Build Coastguard Worker 4719*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get1_issuer looks up a candidate trusted issuer for |x509| out 4720*8fb009dcSAndroid Build Coastguard Worker // of |ctx|'s |X509_STORE|, based on the criteria in |X509_check_issued|. If one 4721*8fb009dcSAndroid Build Coastguard Worker // was found, it returns one and sets |*out_issuer| to the issuer. The caller 4722*8fb009dcSAndroid Build Coastguard Worker // must release |*out_issuer| with |X509_free| when done. If none was found, it 4723*8fb009dcSAndroid Build Coastguard Worker // returns zero and leaves |*out_issuer| unchanged. 4724*8fb009dcSAndroid Build Coastguard Worker // 4725*8fb009dcSAndroid Build Coastguard Worker // This function only searches for trusted issuers. It does not consider 4726*8fb009dcSAndroid Build Coastguard Worker // untrusted intermediates passed in to |X509_STORE_CTX_init|. 4727*8fb009dcSAndroid Build Coastguard Worker // 4728*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/407): |x509| should be const. 4729*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **out_issuer, 4730*8fb009dcSAndroid Build Coastguard Worker X509_STORE_CTX *ctx, X509 *x509); 4731*8fb009dcSAndroid Build Coastguard Worker 4732*8fb009dcSAndroid Build Coastguard Worker // X509_check_purpose performs checks if |x509|'s basic constraints, key usage, 4733*8fb009dcSAndroid Build Coastguard Worker // and extended key usage extensions for the specified purpose. |purpose| should 4734*8fb009dcSAndroid Build Coastguard Worker // be one of |X509_PURPOSE_*| constants. See |X509_VERIFY_PARAM_set_purpose| for 4735*8fb009dcSAndroid Build Coastguard Worker // details. It returns one if |x509|'s extensions are consistent with |purpose| 4736*8fb009dcSAndroid Build Coastguard Worker // and zero otherwise. If |ca| is non-zero, |x509| is checked as a CA 4737*8fb009dcSAndroid Build Coastguard Worker // certificate. Otherwise, it is checked as an end-entity certificate. 4738*8fb009dcSAndroid Build Coastguard Worker // 4739*8fb009dcSAndroid Build Coastguard Worker // If |purpose| is -1, this function performs no purpose checks, but it parses 4740*8fb009dcSAndroid Build Coastguard Worker // some extensions in |x509| and may return zero on syntax error. Historically, 4741*8fb009dcSAndroid Build Coastguard Worker // callers primarily used this function to trigger this parsing, but this is no 4742*8fb009dcSAndroid Build Coastguard Worker // longer necessary. Functions acting on |X509| will internally parse as needed. 4743*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_check_purpose(X509 *x509, int purpose, int ca); 4744*8fb009dcSAndroid Build Coastguard Worker 4745*8fb009dcSAndroid Build Coastguard Worker #define X509_TRUST_TRUSTED 1 4746*8fb009dcSAndroid Build Coastguard Worker #define X509_TRUST_REJECTED 2 4747*8fb009dcSAndroid Build Coastguard Worker #define X509_TRUST_UNTRUSTED 3 4748*8fb009dcSAndroid Build Coastguard Worker 4749*8fb009dcSAndroid Build Coastguard Worker // X509_check_trust checks if |x509| is a valid trust anchor for trust type 4750*8fb009dcSAndroid Build Coastguard Worker // |id|. See |X509_VERIFY_PARAM_set_trust| for details. It returns 4751*8fb009dcSAndroid Build Coastguard Worker // |X509_TRUST_TRUSTED| if |x509| is a trust anchor, |X509_TRUST_REJECTED| if it 4752*8fb009dcSAndroid Build Coastguard Worker // was distrusted, and |X509_TRUST_UNTRUSTED| otherwise. |id| should be one of 4753*8fb009dcSAndroid Build Coastguard Worker // the |X509_TRUST_*| constants, or zero to indicate the default behavior. 4754*8fb009dcSAndroid Build Coastguard Worker // |flags| should be zero and is ignored. 4755*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_check_trust(X509 *x509, int id, int flags); 4756*8fb009dcSAndroid Build Coastguard Worker 4757*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get1_certs returns a newly-allocated stack containing all 4758*8fb009dcSAndroid Build Coastguard Worker // trusted certificates in |ctx|'s |X509_STORE| whose subject matches |name|, or 4759*8fb009dcSAndroid Build Coastguard Worker // NULL on error. The caller must release the result with |sk_X509_pop_free| and 4760*8fb009dcSAndroid Build Coastguard Worker // |X509_free| when done. 4761*8fb009dcSAndroid Build Coastguard Worker // 4762*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/407): |name| should be const. 4763*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, 4764*8fb009dcSAndroid Build Coastguard Worker X509_NAME *name); 4765*8fb009dcSAndroid Build Coastguard Worker 4766*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get1_crls returns a newly-allocated stack containing all 4767*8fb009dcSAndroid Build Coastguard Worker // CRLs in |ctx|'s |X509_STORE| whose subject matches |name|, or NULL on error. 4768*8fb009dcSAndroid Build Coastguard Worker // The caller must release the result with |sk_X509_CRL_pop_free| and 4769*8fb009dcSAndroid Build Coastguard Worker // |X509_CRL_free| when done. 4770*8fb009dcSAndroid Build Coastguard Worker // 4771*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/407): |name| should be const. 4772*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, 4773*8fb009dcSAndroid Build Coastguard Worker X509_NAME *name); 4774*8fb009dcSAndroid Build Coastguard Worker 4775*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get_by_subject looks up an object of type |type| in |ctx|'s 4776*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE| that matches |name|. |type| should be one of the |X509_LU_*| 4777*8fb009dcSAndroid Build Coastguard Worker // constants to indicate the type of object. If a match was found, it stores the 4778*8fb009dcSAndroid Build Coastguard Worker // result in |ret| and returns one. Otherwise, it returns zero. If multiple 4779*8fb009dcSAndroid Build Coastguard Worker // objects match, this function outputs an arbitray one. 4780*8fb009dcSAndroid Build Coastguard Worker // 4781*8fb009dcSAndroid Build Coastguard Worker // WARNING: |ret| must be in the empty state, as returned by |X509_OBJECT_new|. 4782*8fb009dcSAndroid Build Coastguard Worker // Otherwise, the object currently in |ret| will be leaked when overwritten. 4783*8fb009dcSAndroid Build Coastguard Worker // https://crbug.com/boringssl/685 tracks fixing this. 4784*8fb009dcSAndroid Build Coastguard Worker // 4785*8fb009dcSAndroid Build Coastguard Worker // WARNING: Multiple trusted certificates or CRLs may share a name. In this 4786*8fb009dcSAndroid Build Coastguard Worker // case, this function returns an arbitrary match. Use 4787*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_get1_certs| or |X509_STORE_CTX_get1_crls| instead. 4788*8fb009dcSAndroid Build Coastguard Worker // 4789*8fb009dcSAndroid Build Coastguard Worker // TODO(crbug.com/boringssl/407): |name| should be const. 4790*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *ctx, int type, 4791*8fb009dcSAndroid Build Coastguard Worker X509_NAME *name, 4792*8fb009dcSAndroid Build Coastguard Worker X509_OBJECT *ret); 4793*8fb009dcSAndroid Build Coastguard Worker 4794*8fb009dcSAndroid Build Coastguard Worker 4795*8fb009dcSAndroid Build Coastguard Worker // X.509 information. 4796*8fb009dcSAndroid Build Coastguard Worker // 4797*8fb009dcSAndroid Build Coastguard Worker // |X509_INFO| is the return type for |PEM_X509_INFO_read_bio|, defined in 4798*8fb009dcSAndroid Build Coastguard Worker // <openssl/pem.h>. It is used to store a certificate, CRL, or private key. This 4799*8fb009dcSAndroid Build Coastguard Worker // type is defined in this header for OpenSSL compatibility. 4800*8fb009dcSAndroid Build Coastguard Worker 4801*8fb009dcSAndroid Build Coastguard Worker struct private_key_st { 4802*8fb009dcSAndroid Build Coastguard Worker EVP_PKEY *dec_pkey; 4803*8fb009dcSAndroid Build Coastguard Worker } /* X509_PKEY */; 4804*8fb009dcSAndroid Build Coastguard Worker 4805*8fb009dcSAndroid Build Coastguard Worker struct X509_info_st { 4806*8fb009dcSAndroid Build Coastguard Worker X509 *x509; 4807*8fb009dcSAndroid Build Coastguard Worker X509_CRL *crl; 4808*8fb009dcSAndroid Build Coastguard Worker X509_PKEY *x_pkey; 4809*8fb009dcSAndroid Build Coastguard Worker 4810*8fb009dcSAndroid Build Coastguard Worker EVP_CIPHER_INFO enc_cipher; 4811*8fb009dcSAndroid Build Coastguard Worker int enc_len; 4812*8fb009dcSAndroid Build Coastguard Worker char *enc_data; 4813*8fb009dcSAndroid Build Coastguard Worker } /* X509_INFO */; 4814*8fb009dcSAndroid Build Coastguard Worker 4815*8fb009dcSAndroid Build Coastguard Worker DEFINE_STACK_OF(X509_INFO) 4816*8fb009dcSAndroid Build Coastguard Worker 4817*8fb009dcSAndroid Build Coastguard Worker // X509_INFO_free releases memory associated with |info|. 4818*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_INFO_free(X509_INFO *info); 4819*8fb009dcSAndroid Build Coastguard Worker 4820*8fb009dcSAndroid Build Coastguard Worker 4821*8fb009dcSAndroid Build Coastguard Worker // Deprecated custom extension registration. 4822*8fb009dcSAndroid Build Coastguard Worker // 4823*8fb009dcSAndroid Build Coastguard Worker // The following functions allow callers to register custom extensions for use 4824*8fb009dcSAndroid Build Coastguard Worker // with |X509V3_EXT_d2i| and related functions. This mechanism is deprecated and 4825*8fb009dcSAndroid Build Coastguard Worker // will be removed in the future. As discussed in |X509V3_EXT_add|, it is not 4826*8fb009dcSAndroid Build Coastguard Worker // possible to safely register a custom extension without risking race 4827*8fb009dcSAndroid Build Coastguard Worker // conditions and memory errors when linked with other users of BoringSSL. 4828*8fb009dcSAndroid Build Coastguard Worker // 4829*8fb009dcSAndroid Build Coastguard Worker // Moreover, it is not necessary to register a custom extension to process 4830*8fb009dcSAndroid Build Coastguard Worker // extensions unknown to BoringSSL. Registration does not impact certificate 4831*8fb009dcSAndroid Build Coastguard Worker // verification. Caller should instead use functions such as 4832*8fb009dcSAndroid Build Coastguard Worker // |ASN1_OBJECT_create|, |X509_get_ext_by_OBJ|, |X509_EXTENSION_get_data|, and 4833*8fb009dcSAndroid Build Coastguard Worker // |X509_EXTENSION_create_by_OBJ| to inspect or create extensions directly. 4834*8fb009dcSAndroid Build Coastguard Worker 4835*8fb009dcSAndroid Build Coastguard Worker // The following function pointer types are used in |X509V3_EXT_METHOD|. 4836*8fb009dcSAndroid Build Coastguard Worker typedef void *(*X509V3_EXT_NEW)(void); 4837*8fb009dcSAndroid Build Coastguard Worker typedef void (*X509V3_EXT_FREE)(void *ext); 4838*8fb009dcSAndroid Build Coastguard Worker typedef void *(*X509V3_EXT_D2I)(void *ext, const uint8_t **inp, long len); 4839*8fb009dcSAndroid Build Coastguard Worker typedef int (*X509V3_EXT_I2D)(void *ext, uint8_t **outp); 4840*8fb009dcSAndroid Build Coastguard Worker typedef STACK_OF(CONF_VALUE) *(*X509V3_EXT_I2V)(const X509V3_EXT_METHOD *method, 4841*8fb009dcSAndroid Build Coastguard Worker void *ext, 4842*8fb009dcSAndroid Build Coastguard Worker STACK_OF(CONF_VALUE) *extlist); 4843*8fb009dcSAndroid Build Coastguard Worker typedef void *(*X509V3_EXT_V2I)(const X509V3_EXT_METHOD *method, 4844*8fb009dcSAndroid Build Coastguard Worker const X509V3_CTX *ctx, 4845*8fb009dcSAndroid Build Coastguard Worker const STACK_OF(CONF_VALUE) *values); 4846*8fb009dcSAndroid Build Coastguard Worker typedef char *(*X509V3_EXT_I2S)(const X509V3_EXT_METHOD *method, void *ext); 4847*8fb009dcSAndroid Build Coastguard Worker typedef void *(*X509V3_EXT_S2I)(const X509V3_EXT_METHOD *method, 4848*8fb009dcSAndroid Build Coastguard Worker const X509V3_CTX *ctx, const char *str); 4849*8fb009dcSAndroid Build Coastguard Worker typedef int (*X509V3_EXT_I2R)(const X509V3_EXT_METHOD *method, void *ext, 4850*8fb009dcSAndroid Build Coastguard Worker BIO *out, int indent); 4851*8fb009dcSAndroid Build Coastguard Worker typedef void *(*X509V3_EXT_R2I)(const X509V3_EXT_METHOD *method, 4852*8fb009dcSAndroid Build Coastguard Worker const X509V3_CTX *ctx, const char *str); 4853*8fb009dcSAndroid Build Coastguard Worker 4854*8fb009dcSAndroid Build Coastguard Worker // A v3_ext_method, aka |X509V3_EXT_METHOD|, is a deprecated type which defines 4855*8fb009dcSAndroid Build Coastguard Worker // a custom extension. 4856*8fb009dcSAndroid Build Coastguard Worker struct v3_ext_method { 4857*8fb009dcSAndroid Build Coastguard Worker // ext_nid is the NID of the extension. 4858*8fb009dcSAndroid Build Coastguard Worker int ext_nid; 4859*8fb009dcSAndroid Build Coastguard Worker 4860*8fb009dcSAndroid Build Coastguard Worker // ext_flags is a combination of |X509V3_EXT_*| constants. 4861*8fb009dcSAndroid Build Coastguard Worker int ext_flags; 4862*8fb009dcSAndroid Build Coastguard Worker 4863*8fb009dcSAndroid Build Coastguard Worker // it determines how values of this extension are allocated, released, parsed, 4864*8fb009dcSAndroid Build Coastguard Worker // and marshalled. This must be non-NULL. 4865*8fb009dcSAndroid Build Coastguard Worker ASN1_ITEM_EXP *it; 4866*8fb009dcSAndroid Build Coastguard Worker 4867*8fb009dcSAndroid Build Coastguard Worker // The following functions are ignored in favor of |it|. They are retained in 4868*8fb009dcSAndroid Build Coastguard Worker // the struct only for source compatibility with existing struct definitions. 4869*8fb009dcSAndroid Build Coastguard Worker X509V3_EXT_NEW ext_new; 4870*8fb009dcSAndroid Build Coastguard Worker X509V3_EXT_FREE ext_free; 4871*8fb009dcSAndroid Build Coastguard Worker X509V3_EXT_D2I d2i; 4872*8fb009dcSAndroid Build Coastguard Worker X509V3_EXT_I2D i2d; 4873*8fb009dcSAndroid Build Coastguard Worker 4874*8fb009dcSAndroid Build Coastguard Worker // The following functions are used for string extensions. 4875*8fb009dcSAndroid Build Coastguard Worker X509V3_EXT_I2S i2s; 4876*8fb009dcSAndroid Build Coastguard Worker X509V3_EXT_S2I s2i; 4877*8fb009dcSAndroid Build Coastguard Worker 4878*8fb009dcSAndroid Build Coastguard Worker // The following functions are used for multi-valued extensions. 4879*8fb009dcSAndroid Build Coastguard Worker X509V3_EXT_I2V i2v; 4880*8fb009dcSAndroid Build Coastguard Worker X509V3_EXT_V2I v2i; 4881*8fb009dcSAndroid Build Coastguard Worker 4882*8fb009dcSAndroid Build Coastguard Worker // The following functions are used for "raw" extensions, which implement 4883*8fb009dcSAndroid Build Coastguard Worker // custom printing behavior. 4884*8fb009dcSAndroid Build Coastguard Worker X509V3_EXT_I2R i2r; 4885*8fb009dcSAndroid Build Coastguard Worker X509V3_EXT_R2I r2i; 4886*8fb009dcSAndroid Build Coastguard Worker 4887*8fb009dcSAndroid Build Coastguard Worker void *usr_data; // Any extension specific data 4888*8fb009dcSAndroid Build Coastguard Worker } /* X509V3_EXT_METHOD */; 4889*8fb009dcSAndroid Build Coastguard Worker 4890*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_MULTILINE causes the result of an |X509V3_EXT_METHOD|'s |i2v| 4891*8fb009dcSAndroid Build Coastguard Worker // function to be printed on separate lines, rather than separated by commas. 4892*8fb009dcSAndroid Build Coastguard Worker #define X509V3_EXT_MULTILINE 0x4 4893*8fb009dcSAndroid Build Coastguard Worker 4894*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_get returns the |X509V3_EXT_METHOD| corresponding to |ext|'s 4895*8fb009dcSAndroid Build Coastguard Worker // extension type, or NULL if none was registered. 4896*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get( 4897*8fb009dcSAndroid Build Coastguard Worker const X509_EXTENSION *ext); 4898*8fb009dcSAndroid Build Coastguard Worker 4899*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_get_nid returns the |X509V3_EXT_METHOD| corresponding to |nid|, or 4900*8fb009dcSAndroid Build Coastguard Worker // NULL if none was registered. 4901*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); 4902*8fb009dcSAndroid Build Coastguard Worker 4903*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_add registers |ext| as a custom extension for the extension type 4904*8fb009dcSAndroid Build Coastguard Worker // |ext->ext_nid|. |ext| must be valid for the remainder of the address space's 4905*8fb009dcSAndroid Build Coastguard Worker // lifetime. It returns one on success and zero on error. 4906*8fb009dcSAndroid Build Coastguard Worker // 4907*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function modifies global state. If other code in the same 4908*8fb009dcSAndroid Build Coastguard Worker // address space also registers an extension with type |ext->ext_nid|, the two 4909*8fb009dcSAndroid Build Coastguard Worker // registrations will conflict. Which registration takes effect is undefined. If 4910*8fb009dcSAndroid Build Coastguard Worker // the two registrations use incompatible in-memory representations, code 4911*8fb009dcSAndroid Build Coastguard Worker // expecting the other registration will then cast a type to the wrong type, 4912*8fb009dcSAndroid Build Coastguard Worker // resulting in a potentially exploitable memory error. This conflict can also 4913*8fb009dcSAndroid Build Coastguard Worker // occur if BoringSSL later adds support for |ext->ext_nid|, with a different 4914*8fb009dcSAndroid Build Coastguard Worker // in-memory representation than the one expected by |ext|. 4915*8fb009dcSAndroid Build Coastguard Worker // 4916*8fb009dcSAndroid Build Coastguard Worker // This function, additionally, is not thread-safe and cannot be called 4917*8fb009dcSAndroid Build Coastguard Worker // concurrently with any other BoringSSL function. 4918*8fb009dcSAndroid Build Coastguard Worker // 4919*8fb009dcSAndroid Build Coastguard Worker // As a result, it is impossible to safely use this function. Registering a 4920*8fb009dcSAndroid Build Coastguard Worker // custom extension has no impact on certificate verification so, instead, 4921*8fb009dcSAndroid Build Coastguard Worker // callers should simply handle the custom extension with the byte-based 4922*8fb009dcSAndroid Build Coastguard Worker // |X509_EXTENSION| APIs directly. Registering |ext| with the library has little 4923*8fb009dcSAndroid Build Coastguard Worker // practical value. 4924*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext); 4925*8fb009dcSAndroid Build Coastguard Worker 4926*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The 4927*8fb009dcSAndroid Build Coastguard Worker // corresponding ASN.1 type is copied from |nid_from|. It returns one on success 4928*8fb009dcSAndroid Build Coastguard Worker // and zero on error. 4929*8fb009dcSAndroid Build Coastguard Worker // 4930*8fb009dcSAndroid Build Coastguard Worker // WARNING: Do not use this function. See |X509V3_EXT_add|. 4931*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to, 4932*8fb009dcSAndroid Build Coastguard Worker int nid_from); 4933*8fb009dcSAndroid Build Coastguard Worker 4934*8fb009dcSAndroid Build Coastguard Worker 4935*8fb009dcSAndroid Build Coastguard Worker // Deprecated config-based extension creation. 4936*8fb009dcSAndroid Build Coastguard Worker // 4937*8fb009dcSAndroid Build Coastguard Worker // The following functions allow specifying X.509 extensions using OpenSSL's 4938*8fb009dcSAndroid Build Coastguard Worker // config file syntax, from the OpenSSL command-line tool. They are retained, 4939*8fb009dcSAndroid Build Coastguard Worker // for now, for compatibility with legacy software but may be removed in the 4940*8fb009dcSAndroid Build Coastguard Worker // future. Construct the extensions using the typed C APIs instead. 4941*8fb009dcSAndroid Build Coastguard Worker // 4942*8fb009dcSAndroid Build Coastguard Worker // Callers should especially avoid these functions if passing in non-constant 4943*8fb009dcSAndroid Build Coastguard Worker // values. They use ad-hoc, string-based formats which are prone to injection 4944*8fb009dcSAndroid Build Coastguard Worker // vulnerabilities. For a CA, this means using them risks misissuance. 4945*8fb009dcSAndroid Build Coastguard Worker // 4946*8fb009dcSAndroid Build Coastguard Worker // These functions are not safe to use with untrusted inputs. The string formats 4947*8fb009dcSAndroid Build Coastguard Worker // may implicitly reference context information and, in OpenSSL (though not 4948*8fb009dcSAndroid Build Coastguard Worker // BoringSSL), one even allows reading arbitrary files. Many formats can also 4949*8fb009dcSAndroid Build Coastguard Worker // produce far larger outputs than their inputs, so untrusted inputs may lead to 4950*8fb009dcSAndroid Build Coastguard Worker // denial-of-service attacks. Finally, the parsers see much less testing and 4951*8fb009dcSAndroid Build Coastguard Worker // review than most of the library and may have bugs including memory leaks or 4952*8fb009dcSAndroid Build Coastguard Worker // crashes. 4953*8fb009dcSAndroid Build Coastguard Worker 4954*8fb009dcSAndroid Build Coastguard Worker // v3_ext_ctx, aka |X509V3_CTX|, contains additional context information for 4955*8fb009dcSAndroid Build Coastguard Worker // constructing extensions. Some string formats reference additional values in 4956*8fb009dcSAndroid Build Coastguard Worker // these objects. It must be initialized with |X509V3_set_ctx| or 4957*8fb009dcSAndroid Build Coastguard Worker // |X509V3_set_ctx_test| before use. 4958*8fb009dcSAndroid Build Coastguard Worker struct v3_ext_ctx { 4959*8fb009dcSAndroid Build Coastguard Worker int flags; 4960*8fb009dcSAndroid Build Coastguard Worker const X509 *issuer_cert; 4961*8fb009dcSAndroid Build Coastguard Worker const X509 *subject_cert; 4962*8fb009dcSAndroid Build Coastguard Worker const X509_REQ *subject_req; 4963*8fb009dcSAndroid Build Coastguard Worker const X509_CRL *crl; 4964*8fb009dcSAndroid Build Coastguard Worker const CONF *db; 4965*8fb009dcSAndroid Build Coastguard Worker }; 4966*8fb009dcSAndroid Build Coastguard Worker 4967*8fb009dcSAndroid Build Coastguard Worker #define X509V3_CTX_TEST 0x1 4968*8fb009dcSAndroid Build Coastguard Worker 4969*8fb009dcSAndroid Build Coastguard Worker // X509V3_set_ctx initializes |ctx| with the specified objects. Some string 4970*8fb009dcSAndroid Build Coastguard Worker // formats will reference fields in these objects. Each object may be NULL to 4971*8fb009dcSAndroid Build Coastguard Worker // omit it, in which case those formats cannot be used. |flags| should be zero, 4972*8fb009dcSAndroid Build Coastguard Worker // unless called via |X509V3_set_ctx_test|. 4973*8fb009dcSAndroid Build Coastguard Worker // 4974*8fb009dcSAndroid Build Coastguard Worker // |issuer|, |subject|, |req|, and |crl|, if non-NULL, must outlive |ctx|. 4975*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, 4976*8fb009dcSAndroid Build Coastguard Worker const X509 *subject, const X509_REQ *req, 4977*8fb009dcSAndroid Build Coastguard Worker const X509_CRL *crl, int flags); 4978*8fb009dcSAndroid Build Coastguard Worker 4979*8fb009dcSAndroid Build Coastguard Worker // X509V3_set_ctx_test calls |X509V3_set_ctx| without any reference objects and 4980*8fb009dcSAndroid Build Coastguard Worker // mocks out some features that use them. The resulting extensions may be 4981*8fb009dcSAndroid Build Coastguard Worker // incomplete and should be discarded. This can be used to partially validate 4982*8fb009dcSAndroid Build Coastguard Worker // syntax. 4983*8fb009dcSAndroid Build Coastguard Worker // 4984*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Can we remove this? 4985*8fb009dcSAndroid Build Coastguard Worker #define X509V3_set_ctx_test(ctx) \ 4986*8fb009dcSAndroid Build Coastguard Worker X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST) 4987*8fb009dcSAndroid Build Coastguard Worker 4988*8fb009dcSAndroid Build Coastguard Worker // X509V3_set_nconf sets |ctx| to use |conf| as the config database. |ctx| must 4989*8fb009dcSAndroid Build Coastguard Worker // have previously been initialized by |X509V3_set_ctx| or 4990*8fb009dcSAndroid Build Coastguard Worker // |X509V3_set_ctx_test|. Some string formats will reference sections in |conf|. 4991*8fb009dcSAndroid Build Coastguard Worker // |conf| may be NULL, in which case these formats cannot be used. If non-NULL, 4992*8fb009dcSAndroid Build Coastguard Worker // |conf| must outlive |ctx|. 4993*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf); 4994*8fb009dcSAndroid Build Coastguard Worker 4995*8fb009dcSAndroid Build Coastguard Worker // X509V3_set_ctx_nodb calls |X509V3_set_nconf| with no config database. 4996*8fb009dcSAndroid Build Coastguard Worker #define X509V3_set_ctx_nodb(ctx) X509V3_set_nconf(ctx, NULL) 4997*8fb009dcSAndroid Build Coastguard Worker 4998*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_nconf constructs an extension of type specified by |name|, and 4999*8fb009dcSAndroid Build Coastguard Worker // value specified by |value|. It returns a newly-allocated |X509_EXTENSION| 5000*8fb009dcSAndroid Build Coastguard Worker // object on success, or NULL on error. |conf| and |ctx| specify additional 5001*8fb009dcSAndroid Build Coastguard Worker // information referenced by some formats. Either |conf| or |ctx| may be NULL, 5002*8fb009dcSAndroid Build Coastguard Worker // in which case features which use it will be disabled. 5003*8fb009dcSAndroid Build Coastguard Worker // 5004*8fb009dcSAndroid Build Coastguard Worker // If non-NULL, |ctx| must be initialized with |X509V3_set_ctx| or 5005*8fb009dcSAndroid Build Coastguard Worker // |X509V3_set_ctx_test|. 5006*8fb009dcSAndroid Build Coastguard Worker // 5007*8fb009dcSAndroid Build Coastguard Worker // Both |conf| and |ctx| provide a |CONF| object. When |ctx| is non-NULL, most 5008*8fb009dcSAndroid Build Coastguard Worker // features use the |ctx| copy, configured with |X509V3_set_ctx|, but some use 5009*8fb009dcSAndroid Build Coastguard Worker // |conf|. Callers should ensure the two match to avoid surprisingly behavior. 5010*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, 5011*8fb009dcSAndroid Build Coastguard Worker const X509V3_CTX *ctx, 5012*8fb009dcSAndroid Build Coastguard Worker const char *name, 5013*8fb009dcSAndroid Build Coastguard Worker const char *value); 5014*8fb009dcSAndroid Build Coastguard Worker 5015*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_nconf_nid behaves like |X509V3_EXT_nconf|, except the extension 5016*8fb009dcSAndroid Build Coastguard Worker // type is specified as a NID. 5017*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf, 5018*8fb009dcSAndroid Build Coastguard Worker const X509V3_CTX *ctx, 5019*8fb009dcSAndroid Build Coastguard Worker int ext_nid, 5020*8fb009dcSAndroid Build Coastguard Worker const char *value); 5021*8fb009dcSAndroid Build Coastguard Worker 5022*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_conf_nid calls |X509V3_EXT_nconf_nid|. |conf| must be NULL. 5023*8fb009dcSAndroid Build Coastguard Worker // 5024*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): This is the only exposed instance of an LHASH in our public 5025*8fb009dcSAndroid Build Coastguard Worker // headers. cryptography.io wraps this function so we cannot, yet, replace the 5026*8fb009dcSAndroid Build Coastguard Worker // type with a dummy struct. 5027*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, 5028*8fb009dcSAndroid Build Coastguard Worker const X509V3_CTX *ctx, 5029*8fb009dcSAndroid Build Coastguard Worker int ext_nid, 5030*8fb009dcSAndroid Build Coastguard Worker const char *value); 5031*8fb009dcSAndroid Build Coastguard Worker 5032*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_add_nconf_sk looks up the section named |section| in |conf|. For 5033*8fb009dcSAndroid Build Coastguard Worker // each |CONF_VALUE| in the section, it constructs an extension as in 5034*8fb009dcSAndroid Build Coastguard Worker // |X509V3_EXT_nconf|, taking |name| and |value| from the |CONF_VALUE|. Each new 5035*8fb009dcSAndroid Build Coastguard Worker // extension is appended to |*sk|. If |*sk| is non-NULL, and at least one 5036*8fb009dcSAndroid Build Coastguard Worker // extension is added, it sets |*sk| to a newly-allocated 5037*8fb009dcSAndroid Build Coastguard Worker // |STACK_OF(X509_EXTENSION)|. It returns one on success and zero on error. 5038*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(const CONF *conf, 5039*8fb009dcSAndroid Build Coastguard Worker const X509V3_CTX *ctx, 5040*8fb009dcSAndroid Build Coastguard Worker const char *section, 5041*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509_EXTENSION) **sk); 5042*8fb009dcSAndroid Build Coastguard Worker 5043*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_add_nconf adds extensions to |cert| as in 5044*8fb009dcSAndroid Build Coastguard Worker // |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. 5045*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx, 5046*8fb009dcSAndroid Build Coastguard Worker const char *section, X509 *cert); 5047*8fb009dcSAndroid Build Coastguard Worker 5048*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_REQ_add_nconf adds extensions to |req| as in 5049*8fb009dcSAndroid Build Coastguard Worker // |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. 5050*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(const CONF *conf, 5051*8fb009dcSAndroid Build Coastguard Worker const X509V3_CTX *ctx, 5052*8fb009dcSAndroid Build Coastguard Worker const char *section, X509_REQ *req); 5053*8fb009dcSAndroid Build Coastguard Worker 5054*8fb009dcSAndroid Build Coastguard Worker // X509V3_EXT_CRL_add_nconf adds extensions to |crl| as in 5055*8fb009dcSAndroid Build Coastguard Worker // |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. 5056*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(const CONF *conf, 5057*8fb009dcSAndroid Build Coastguard Worker const X509V3_CTX *ctx, 5058*8fb009dcSAndroid Build Coastguard Worker const char *section, X509_CRL *crl); 5059*8fb009dcSAndroid Build Coastguard Worker 5060*8fb009dcSAndroid Build Coastguard Worker // i2s_ASN1_OCTET_STRING returns a human-readable representation of |oct| as a 5061*8fb009dcSAndroid Build Coastguard Worker // newly-allocated, NUL-terminated string, or NULL on error. |method| is 5062*8fb009dcSAndroid Build Coastguard Worker // ignored. The caller must release the result with |OPENSSL_free| when done. 5063*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method, 5064*8fb009dcSAndroid Build Coastguard Worker const ASN1_OCTET_STRING *oct); 5065*8fb009dcSAndroid Build Coastguard Worker 5066*8fb009dcSAndroid Build Coastguard Worker // s2i_ASN1_OCTET_STRING decodes |str| as a hexdecimal byte string, with 5067*8fb009dcSAndroid Build Coastguard Worker // optional colon separators between bytes. It returns a newly-allocated 5068*8fb009dcSAndroid Build Coastguard Worker // |ASN1_OCTET_STRING| with the result on success, or NULL on error. |method| 5069*8fb009dcSAndroid Build Coastguard Worker // and |ctx| are ignored. 5070*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING( 5071*8fb009dcSAndroid Build Coastguard Worker const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *str); 5072*8fb009dcSAndroid Build Coastguard Worker 5073*8fb009dcSAndroid Build Coastguard Worker // i2s_ASN1_INTEGER returns a human-readable representation of |aint| as a 5074*8fb009dcSAndroid Build Coastguard Worker // newly-allocated, NUL-terminated string, or NULL on error. |method| is 5075*8fb009dcSAndroid Build Coastguard Worker // ignored. The caller must release the result with |OPENSSL_free| when done. 5076*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *method, 5077*8fb009dcSAndroid Build Coastguard Worker const ASN1_INTEGER *aint); 5078*8fb009dcSAndroid Build Coastguard Worker 5079*8fb009dcSAndroid Build Coastguard Worker // s2i_ASN1_INTEGER decodes |value| as the ASCII representation of an integer, 5080*8fb009dcSAndroid Build Coastguard Worker // and returns a newly-allocated |ASN1_INTEGER| containing the result, or NULL 5081*8fb009dcSAndroid Build Coastguard Worker // on error. |method| is ignored. If |value| begins with "0x" or "0X", the input 5082*8fb009dcSAndroid Build Coastguard Worker // is decoded in hexadecimal, otherwise decimal. 5083*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *method, 5084*8fb009dcSAndroid Build Coastguard Worker const char *value); 5085*8fb009dcSAndroid Build Coastguard Worker 5086*8fb009dcSAndroid Build Coastguard Worker // i2s_ASN1_ENUMERATED returns a human-readable representation of |aint| as a 5087*8fb009dcSAndroid Build Coastguard Worker // newly-allocated, NUL-terminated string, or NULL on error. |method| is 5088*8fb009dcSAndroid Build Coastguard Worker // ignored. The caller must release the result with |OPENSSL_free| when done. 5089*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *method, 5090*8fb009dcSAndroid Build Coastguard Worker const ASN1_ENUMERATED *aint); 5091*8fb009dcSAndroid Build Coastguard Worker 5092*8fb009dcSAndroid Build Coastguard Worker // X509V3_conf_free releases memory associated with |CONF_VALUE|. 5093*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val); 5094*8fb009dcSAndroid Build Coastguard Worker 5095*8fb009dcSAndroid Build Coastguard Worker // i2v_GENERAL_NAME serializes |gen| as a |CONF_VALUE|. If |ret| is non-NULL, it 5096*8fb009dcSAndroid Build Coastguard Worker // appends the value to |ret| and returns |ret| on success or NULL on error. If 5097*8fb009dcSAndroid Build Coastguard Worker // it returns NULL, the caller is still responsible for freeing |ret|. If |ret| 5098*8fb009dcSAndroid Build Coastguard Worker // is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| containing the 5099*8fb009dcSAndroid Build Coastguard Worker // result. |method| is ignored. When done, the caller should release the result 5100*8fb009dcSAndroid Build Coastguard Worker // with |sk_CONF_VALUE_pop_free| and |X509V3_conf_free|. 5101*8fb009dcSAndroid Build Coastguard Worker // 5102*8fb009dcSAndroid Build Coastguard Worker // Do not use this function. This is an internal implementation detail of the 5103*8fb009dcSAndroid Build Coastguard Worker // human-readable print functions. If extracting a SAN list from a certificate, 5104*8fb009dcSAndroid Build Coastguard Worker // look at |gen| directly. 5105*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME( 5106*8fb009dcSAndroid Build Coastguard Worker const X509V3_EXT_METHOD *method, const GENERAL_NAME *gen, 5107*8fb009dcSAndroid Build Coastguard Worker STACK_OF(CONF_VALUE) *ret); 5108*8fb009dcSAndroid Build Coastguard Worker 5109*8fb009dcSAndroid Build Coastguard Worker // i2v_GENERAL_NAMES serializes |gen| as a list of |CONF_VALUE|s. If |ret| is 5110*8fb009dcSAndroid Build Coastguard Worker // non-NULL, it appends the values to |ret| and returns |ret| on success or NULL 5111*8fb009dcSAndroid Build Coastguard Worker // on error. If it returns NULL, the caller is still responsible for freeing 5112*8fb009dcSAndroid Build Coastguard Worker // |ret|. If |ret| is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| 5113*8fb009dcSAndroid Build Coastguard Worker // containing the results. |method| is ignored. 5114*8fb009dcSAndroid Build Coastguard Worker // 5115*8fb009dcSAndroid Build Coastguard Worker // Do not use this function. This is an internal implementation detail of the 5116*8fb009dcSAndroid Build Coastguard Worker // human-readable print functions. If extracting a SAN list from a certificate, 5117*8fb009dcSAndroid Build Coastguard Worker // look at |gen| directly. 5118*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES( 5119*8fb009dcSAndroid Build Coastguard Worker const X509V3_EXT_METHOD *method, const GENERAL_NAMES *gen, 5120*8fb009dcSAndroid Build Coastguard Worker STACK_OF(CONF_VALUE) *extlist); 5121*8fb009dcSAndroid Build Coastguard Worker 5122*8fb009dcSAndroid Build Coastguard Worker // a2i_IPADDRESS decodes |ipasc| as the textual representation of an IPv4 or 5123*8fb009dcSAndroid Build Coastguard Worker // IPv6 address. On success, it returns a newly-allocated |ASN1_OCTET_STRING| 5124*8fb009dcSAndroid Build Coastguard Worker // containing the decoded IP address. IPv4 addresses are represented as 4-byte 5125*8fb009dcSAndroid Build Coastguard Worker // strings and IPv6 addresses as 16-byte strings. On failure, it returns NULL. 5126*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); 5127*8fb009dcSAndroid Build Coastguard Worker 5128*8fb009dcSAndroid Build Coastguard Worker // a2i_IPADDRESS_NC decodes |ipasc| as the textual representation of an IPv4 or 5129*8fb009dcSAndroid Build Coastguard Worker // IPv6 address range. On success, it returns a newly-allocated 5130*8fb009dcSAndroid Build Coastguard Worker // |ASN1_OCTET_STRING| containing the decoded IP address, followed by the 5131*8fb009dcSAndroid Build Coastguard Worker // decoded mask. IPv4 ranges are represented as 8-byte strings and IPv6 ranges 5132*8fb009dcSAndroid Build Coastguard Worker // as 32-byte strings. On failure, it returns NULL. 5133*8fb009dcSAndroid Build Coastguard Worker // 5134*8fb009dcSAndroid Build Coastguard Worker // The text format decoded by this function is not the standard CIDR notiation. 5135*8fb009dcSAndroid Build Coastguard Worker // Instead, the mask after the "/" is represented as another IP address. For 5136*8fb009dcSAndroid Build Coastguard Worker // example, "192.168.0.0/16" would be written "192.168.0.0/255.255.0.0". 5137*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); 5138*8fb009dcSAndroid Build Coastguard Worker 5139*8fb009dcSAndroid Build Coastguard Worker 5140*8fb009dcSAndroid Build Coastguard Worker // Deprecated functions. 5141*8fb009dcSAndroid Build Coastguard Worker 5142*8fb009dcSAndroid Build Coastguard Worker // X509_get_notBefore returns |x509|'s notBefore time. Note this function is not 5143*8fb009dcSAndroid Build Coastguard Worker // const-correct for legacy reasons. Use |X509_get0_notBefore| or 5144*8fb009dcSAndroid Build Coastguard Worker // |X509_getm_notBefore| instead. 5145*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509); 5146*8fb009dcSAndroid Build Coastguard Worker 5147*8fb009dcSAndroid Build Coastguard Worker // X509_get_notAfter returns |x509|'s notAfter time. Note this function is not 5148*8fb009dcSAndroid Build Coastguard Worker // const-correct for legacy reasons. Use |X509_get0_notAfter| or 5149*8fb009dcSAndroid Build Coastguard Worker // |X509_getm_notAfter| instead. 5150*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509); 5151*8fb009dcSAndroid Build Coastguard Worker 5152*8fb009dcSAndroid Build Coastguard Worker // X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore| 5153*8fb009dcSAndroid Build Coastguard Worker // instead. 5154*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm); 5155*8fb009dcSAndroid Build Coastguard Worker 5156*8fb009dcSAndroid Build Coastguard Worker // X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter| 5157*8fb009dcSAndroid Build Coastguard Worker // instead. 5158*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm); 5159*8fb009dcSAndroid Build Coastguard Worker 5160*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s thisUpdate time. 5161*8fb009dcSAndroid Build Coastguard Worker // The OpenSSL API refers to this field as lastUpdate. 5162*8fb009dcSAndroid Build Coastguard Worker // 5163*8fb009dcSAndroid Build Coastguard Worker // Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead. 5164*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); 5165*8fb009dcSAndroid Build Coastguard Worker 5166*8fb009dcSAndroid Build Coastguard Worker // X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time, 5167*8fb009dcSAndroid Build Coastguard Worker // or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or 5168*8fb009dcSAndroid Build Coastguard Worker // |X509_CRL_set1_nextUpdate| instead. 5169*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); 5170*8fb009dcSAndroid Build Coastguard Worker 5171*8fb009dcSAndroid Build Coastguard Worker // X509_extract_key is a legacy alias to |X509_get_pubkey|. Use 5172*8fb009dcSAndroid Build Coastguard Worker // |X509_get_pubkey| instead. 5173*8fb009dcSAndroid Build Coastguard Worker #define X509_extract_key(x) X509_get_pubkey(x) 5174*8fb009dcSAndroid Build Coastguard Worker 5175*8fb009dcSAndroid Build Coastguard Worker // X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|. 5176*8fb009dcSAndroid Build Coastguard Worker #define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) 5177*8fb009dcSAndroid Build Coastguard Worker 5178*8fb009dcSAndroid Build Coastguard Worker // X509_name_cmp is a legacy alias for |X509_NAME_cmp|. 5179*8fb009dcSAndroid Build Coastguard Worker #define X509_name_cmp(a, b) X509_NAME_cmp((a), (b)) 5180*8fb009dcSAndroid Build Coastguard Worker 5181*8fb009dcSAndroid Build Coastguard Worker // The following symbols are deprecated aliases to |X509_CRL_set1_*|. 5182*8fb009dcSAndroid Build Coastguard Worker #define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate 5183*8fb009dcSAndroid Build Coastguard Worker #define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate 5184*8fb009dcSAndroid Build Coastguard Worker 5185*8fb009dcSAndroid Build Coastguard Worker // X509_get_serialNumber returns a mutable pointer to |x509|'s serial number. 5186*8fb009dcSAndroid Build Coastguard Worker // Prefer |X509_get0_serialNumber|. 5187*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509); 5188*8fb009dcSAndroid Build Coastguard Worker 5189*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_get_text_by_OBJ finds the first attribute with type |obj| in 5190*8fb009dcSAndroid Build Coastguard Worker // |name|. If found, it writes the value's UTF-8 representation to |buf|. 5191*8fb009dcSAndroid Build Coastguard Worker // followed by a NUL byte, and returns the number of bytes in the output, 5192*8fb009dcSAndroid Build Coastguard Worker // excluding the NUL byte. This is unlike OpenSSL which returns the raw 5193*8fb009dcSAndroid Build Coastguard Worker // ASN1_STRING data. The UTF-8 encoding of the |ASN1_STRING| may not contain a 0 5194*8fb009dcSAndroid Build Coastguard Worker // codepoint. 5195*8fb009dcSAndroid Build Coastguard Worker // 5196*8fb009dcSAndroid Build Coastguard Worker // This function writes at most |len| bytes, including the NUL byte. If |buf| 5197*8fb009dcSAndroid Build Coastguard Worker // is NULL, it writes nothing and returns the number of bytes in the 5198*8fb009dcSAndroid Build Coastguard Worker // output, excluding the NUL byte that would be required for the full UTF-8 5199*8fb009dcSAndroid Build Coastguard Worker // output. 5200*8fb009dcSAndroid Build Coastguard Worker // 5201*8fb009dcSAndroid Build Coastguard Worker // This function may return -1 if an error occurs for any reason, including the 5202*8fb009dcSAndroid Build Coastguard Worker // value not being a recognized string type, |len| being of insufficient size to 5203*8fb009dcSAndroid Build Coastguard Worker // hold the full UTF-8 encoding and NUL byte, memory allocation failures, an 5204*8fb009dcSAndroid Build Coastguard Worker // object with type |obj| not existing in |name|, or if the UTF-8 encoding of 5205*8fb009dcSAndroid Build Coastguard Worker // the string contains a zero byte. 5206*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name, 5207*8fb009dcSAndroid Build Coastguard Worker const ASN1_OBJECT *obj, char *buf, 5208*8fb009dcSAndroid Build Coastguard Worker int len); 5209*8fb009dcSAndroid Build Coastguard Worker 5210*8fb009dcSAndroid Build Coastguard Worker // X509_NAME_get_text_by_NID behaves like |X509_NAME_get_text_by_OBJ| except it 5211*8fb009dcSAndroid Build Coastguard Worker // finds an attribute of type |nid|, which should be one of the |NID_*| 5212*8fb009dcSAndroid Build Coastguard Worker // constants. 5213*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, 5214*8fb009dcSAndroid Build Coastguard Worker char *buf, int len); 5215*8fb009dcSAndroid Build Coastguard Worker 5216*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get0_parent_ctx returns NULL. 5217*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx( 5218*8fb009dcSAndroid Build Coastguard Worker const X509_STORE_CTX *ctx); 5219*8fb009dcSAndroid Build Coastguard Worker 5220*8fb009dcSAndroid Build Coastguard Worker // X509_OBJECT_free_contents sets |obj| to the empty object, freeing any values 5221*8fb009dcSAndroid Build Coastguard Worker // that were previously there. 5222*8fb009dcSAndroid Build Coastguard Worker // 5223*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Unexport this function after rust-openssl is fixed to no 5224*8fb009dcSAndroid Build Coastguard Worker // longer call it. 5225*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_OBJECT_free_contents(X509_OBJECT *obj); 5226*8fb009dcSAndroid Build Coastguard Worker 5227*8fb009dcSAndroid Build Coastguard Worker // X509_LOOKUP_free releases memory associated with |ctx|. This function should 5228*8fb009dcSAndroid Build Coastguard Worker // never be used outside the library. No function in the public API hands 5229*8fb009dcSAndroid Build Coastguard Worker // ownership of an |X509_LOOKUP| to the caller. 5230*8fb009dcSAndroid Build Coastguard Worker // 5231*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Unexport this function after rust-openssl is fixed to no 5232*8fb009dcSAndroid Build Coastguard Worker // longer call it. 5233*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx); 5234*8fb009dcSAndroid Build Coastguard Worker 5235*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_cleanup resets |ctx| to the empty state. 5236*8fb009dcSAndroid Build Coastguard Worker // 5237*8fb009dcSAndroid Build Coastguard Worker // This function is a remnant of when |X509_STORE_CTX| was stack-allocated and 5238*8fb009dcSAndroid Build Coastguard Worker // should not be used. If releasing |ctx|, call |X509_STORE_CTX_free|. If 5239*8fb009dcSAndroid Build Coastguard Worker // reusing |ctx| for a new verification, release the old one and create a new 5240*8fb009dcSAndroid Build Coastguard Worker // one. 5241*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); 5242*8fb009dcSAndroid Build Coastguard Worker 5243*8fb009dcSAndroid Build Coastguard Worker // X509V3_add_standard_extensions returns one. 5244*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509V3_add_standard_extensions(void); 5245*8fb009dcSAndroid Build Coastguard Worker 5246*8fb009dcSAndroid Build Coastguard Worker // The following symbols are legacy aliases for |X509_STORE_CTX| functions. 5247*8fb009dcSAndroid Build Coastguard Worker #define X509_STORE_get_by_subject X509_STORE_CTX_get_by_subject 5248*8fb009dcSAndroid Build Coastguard Worker #define X509_STORE_get1_certs X509_STORE_CTX_get1_certs 5249*8fb009dcSAndroid Build Coastguard Worker #define X509_STORE_get1_crls X509_STORE_CTX_get1_crls 5250*8fb009dcSAndroid Build Coastguard Worker 5251*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_get_chain is a legacy alias for |X509_STORE_CTX_get0_chain|. 5252*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain( 5253*8fb009dcSAndroid Build Coastguard Worker const X509_STORE_CTX *ctx); 5254*8fb009dcSAndroid Build Coastguard Worker 5255*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_trusted_stack is a deprecated alias for 5256*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_set0_trusted_stack|. 5257*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, 5258*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509) *sk); 5259*8fb009dcSAndroid Build Coastguard Worker 5260*8fb009dcSAndroid Build Coastguard Worker typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); 5261*8fb009dcSAndroid Build Coastguard Worker 5262*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set_verify_cb configures a callback function for |ctx| that is 5263*8fb009dcSAndroid Build Coastguard Worker // called multiple times during |X509_verify_cert|. The callback returns zero to 5264*8fb009dcSAndroid Build Coastguard Worker // fail verification and one to proceed. Typically, it will return |ok|, which 5265*8fb009dcSAndroid Build Coastguard Worker // preserves the default behavior. Returning one when |ok| is zero will proceed 5266*8fb009dcSAndroid Build Coastguard Worker // past some error. The callback may inspect |ctx| and the error queue to 5267*8fb009dcSAndroid Build Coastguard Worker // attempt to determine the current stage of certificate verification, but this 5268*8fb009dcSAndroid Build Coastguard Worker // is often unreliable. When synthesizing an error, callbacks should use 5269*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_set_error| to set a corresponding error. 5270*8fb009dcSAndroid Build Coastguard Worker // 5271*8fb009dcSAndroid Build Coastguard Worker // WARNING: Do not use this function. It is extremely fragile and unpredictable. 5272*8fb009dcSAndroid Build Coastguard Worker // This callback exposes implementation details of certificate verification, 5273*8fb009dcSAndroid Build Coastguard Worker // which change as the library evolves. Attempting to use it for security checks 5274*8fb009dcSAndroid Build Coastguard Worker // can introduce vulnerabilities if making incorrect assumptions about when the 5275*8fb009dcSAndroid Build Coastguard Worker // callback is called. Some errors, when suppressed, may implicitly suppress 5276*8fb009dcSAndroid Build Coastguard Worker // other errors due to internal implementation details. Additionally, overriding 5277*8fb009dcSAndroid Build Coastguard Worker // |ok| may leave |ctx| in an inconsistent state and break invariants. 5278*8fb009dcSAndroid Build Coastguard Worker // 5279*8fb009dcSAndroid Build Coastguard Worker // Instead, customize certificate verification by configuring options on the 5280*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX| before verification, or applying additional checks after 5281*8fb009dcSAndroid Build Coastguard Worker // |X509_verify_cert| completes successfully. 5282*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb( 5283*8fb009dcSAndroid Build Coastguard Worker X509_STORE_CTX *ctx, int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); 5284*8fb009dcSAndroid Build Coastguard Worker 5285*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_set_verify_cb acts like |X509_STORE_CTX_set_verify_cb| but sets 5286*8fb009dcSAndroid Build Coastguard Worker // the verify callback for any |X509_STORE_CTX| created from this |X509_STORE| 5287*8fb009dcSAndroid Build Coastguard Worker // 5288*8fb009dcSAndroid Build Coastguard Worker // Do not use this function. See |X509_STORE_CTX_set_verify_cb| for details. 5289*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_set_verify_cb( 5290*8fb009dcSAndroid Build Coastguard Worker X509_STORE *store, X509_STORE_CTX_verify_cb verify_cb); 5291*8fb009dcSAndroid Build Coastguard Worker 5292*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_set_verify_cb_func is a deprecated alias for 5293*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_set_verify_cb|. 5294*8fb009dcSAndroid Build Coastguard Worker #define X509_STORE_set_verify_cb_func(store, func) \ 5295*8fb009dcSAndroid Build Coastguard Worker X509_STORE_set_verify_cb((store), (func)) 5296*8fb009dcSAndroid Build Coastguard Worker 5297*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_CTX_set_chain configures |ctx| to use |sk| for untrusted 5298*8fb009dcSAndroid Build Coastguard Worker // intermediate certificates to use in verification. This function is redundant 5299*8fb009dcSAndroid Build Coastguard Worker // with the |chain| parameter of |X509_STORE_CTX_init|. Use the parameter 5300*8fb009dcSAndroid Build Coastguard Worker // instead. 5301*8fb009dcSAndroid Build Coastguard Worker // 5302*8fb009dcSAndroid Build Coastguard Worker // WARNING: Despite the similar name, this function is unrelated to 5303*8fb009dcSAndroid Build Coastguard Worker // |X509_STORE_CTX_get0_chain|. 5304*8fb009dcSAndroid Build Coastguard Worker // 5305*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function saves a pointer to |sk| without copying or 5306*8fb009dcSAndroid Build Coastguard Worker // incrementing reference counts. |sk| must outlive |ctx| and may not be mutated 5307*8fb009dcSAndroid Build Coastguard Worker // for the duration of the certificate verification. 5308*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, 5309*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509) *sk); 5310*8fb009dcSAndroid Build Coastguard Worker 5311*8fb009dcSAndroid Build Coastguard Worker // The following flags do nothing. The corresponding non-standard options have 5312*8fb009dcSAndroid Build Coastguard Worker // been removed. 5313*8fb009dcSAndroid Build Coastguard Worker #define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0 5314*8fb009dcSAndroid Build Coastguard Worker #define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0 5315*8fb009dcSAndroid Build Coastguard Worker #define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 5316*8fb009dcSAndroid Build Coastguard Worker 5317*8fb009dcSAndroid Build Coastguard Worker // X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS does nothing, but is necessary in 5318*8fb009dcSAndroid Build Coastguard Worker // OpenSSL to enable standard wildcard matching. In BoringSSL, this behavior is 5319*8fb009dcSAndroid Build Coastguard Worker // always enabled. 5320*8fb009dcSAndroid Build Coastguard Worker #define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 5321*8fb009dcSAndroid Build Coastguard Worker 5322*8fb009dcSAndroid Build Coastguard Worker // X509_STORE_get0_objects returns a non-owning pointer of |store|'s internal 5323*8fb009dcSAndroid Build Coastguard Worker // object list. Although this function is not const, callers must not modify 5324*8fb009dcSAndroid Build Coastguard Worker // the result of this function. 5325*8fb009dcSAndroid Build Coastguard Worker // 5326*8fb009dcSAndroid Build Coastguard Worker // WARNING: This function is not thread-safe. If |store| is shared across 5327*8fb009dcSAndroid Build Coastguard Worker // multiple threads, callers cannot safely inspect the result of this function, 5328*8fb009dcSAndroid Build Coastguard Worker // because another thread may have concurrently added to it. In particular, 5329*8fb009dcSAndroid Build Coastguard Worker // |X509_LOOKUP_add_dir| treats this list as a cache and may add to it in the 5330*8fb009dcSAndroid Build Coastguard Worker // course of certificate verification. This API additionally prevents fixing 5331*8fb009dcSAndroid Build Coastguard Worker // some quadratic worst-case behavior in |X509_STORE| and may be removed in the 5332*8fb009dcSAndroid Build Coastguard Worker // future. Use |X509_STORE_get1_objects| instead. 5333*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects( 5334*8fb009dcSAndroid Build Coastguard Worker X509_STORE *store); 5335*8fb009dcSAndroid Build Coastguard Worker 5336*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_get_by_sname returns the |X509_PURPOSE_*| constant corresponding 5337*8fb009dcSAndroid Build Coastguard Worker // a short name |sname|, or -1 if |sname| was not recognized. 5338*8fb009dcSAndroid Build Coastguard Worker // 5339*8fb009dcSAndroid Build Coastguard Worker // Use |X509_PURPOSE_*| constants directly instead. The short names used by this 5340*8fb009dcSAndroid Build Coastguard Worker // function look like "sslserver" or "smimeencrypt", so they do not make 5341*8fb009dcSAndroid Build Coastguard Worker // especially good APIs. 5342*8fb009dcSAndroid Build Coastguard Worker // 5343*8fb009dcSAndroid Build Coastguard Worker // This function differs from OpenSSL, which returns an "index" to be passed to 5344*8fb009dcSAndroid Build Coastguard Worker // |X509_PURPOSE_get0|, followed by |X509_PURPOSE_get_id|, to finally obtain an 5345*8fb009dcSAndroid Build Coastguard Worker // |X509_PURPOSE_*| value suitable for use with |X509_VERIFY_PARAM_set_purpose|. 5346*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname); 5347*8fb009dcSAndroid Build Coastguard Worker 5348*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_get0 returns the |X509_PURPOSE| object corresponding to |id|, 5349*8fb009dcSAndroid Build Coastguard Worker // which should be one of the |X509_PURPOSE_*| constants, or NULL if none 5350*8fb009dcSAndroid Build Coastguard Worker // exists. 5351*8fb009dcSAndroid Build Coastguard Worker // 5352*8fb009dcSAndroid Build Coastguard Worker // This function differs from OpenSSL, which takes an "index", returned from 5353*8fb009dcSAndroid Build Coastguard Worker // |X509_PURPOSE_get_by_sname|. In BoringSSL, indices and |X509_PURPOSE_*| IDs 5354*8fb009dcSAndroid Build Coastguard Worker // are the same. 5355*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int id); 5356*8fb009dcSAndroid Build Coastguard Worker 5357*8fb009dcSAndroid Build Coastguard Worker // X509_PURPOSE_get_id returns |purpose|'s ID. This will be one of the 5358*8fb009dcSAndroid Build Coastguard Worker // |X509_PURPOSE_*| constants. 5359*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *purpose); 5360*8fb009dcSAndroid Build Coastguard Worker 5361*8fb009dcSAndroid Build Coastguard Worker // The following constants are values for the legacy Netscape certificate type 5362*8fb009dcSAndroid Build Coastguard Worker // X.509 extension, a precursor to extended key usage. These values correspond 5363*8fb009dcSAndroid Build Coastguard Worker // to the DER encoding of the first byte of the BIT STRING. That is, 0x80 is 5364*8fb009dcSAndroid Build Coastguard Worker // bit zero and 0x01 is bit seven. 5365*8fb009dcSAndroid Build Coastguard Worker // 5366*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): These constants are only used by OpenVPN, which deprecated 5367*8fb009dcSAndroid Build Coastguard Worker // the feature in 2017. The documentation says it was removed, but they did not 5368*8fb009dcSAndroid Build Coastguard Worker // actually remove it. See if OpenVPN will accept a patch to finish this. 5369*8fb009dcSAndroid Build Coastguard Worker #define NS_SSL_CLIENT 0x80 5370*8fb009dcSAndroid Build Coastguard Worker #define NS_SSL_SERVER 0x40 5371*8fb009dcSAndroid Build Coastguard Worker #define NS_SMIME 0x20 5372*8fb009dcSAndroid Build Coastguard Worker #define NS_OBJSIGN 0x10 5373*8fb009dcSAndroid Build Coastguard Worker #define NS_SSL_CA 0x04 5374*8fb009dcSAndroid Build Coastguard Worker #define NS_SMIME_CA 0x02 5375*8fb009dcSAndroid Build Coastguard Worker #define NS_OBJSIGN_CA 0x01 5376*8fb009dcSAndroid Build Coastguard Worker #define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA) 5377*8fb009dcSAndroid Build Coastguard Worker 5378*8fb009dcSAndroid Build Coastguard Worker 5379*8fb009dcSAndroid Build Coastguard Worker // Private structures. 5380*8fb009dcSAndroid Build Coastguard Worker 5381*8fb009dcSAndroid Build Coastguard Worker struct X509_algor_st { 5382*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *algorithm; 5383*8fb009dcSAndroid Build Coastguard Worker ASN1_TYPE *parameter; 5384*8fb009dcSAndroid Build Coastguard Worker } /* X509_ALGOR */; 5385*8fb009dcSAndroid Build Coastguard Worker 5386*8fb009dcSAndroid Build Coastguard Worker 5387*8fb009dcSAndroid Build Coastguard Worker #if defined(__cplusplus) 5388*8fb009dcSAndroid Build Coastguard Worker } // extern C 5389*8fb009dcSAndroid Build Coastguard Worker #endif 5390*8fb009dcSAndroid Build Coastguard Worker 5391*8fb009dcSAndroid Build Coastguard Worker #if !defined(BORINGSSL_NO_CXX) 5392*8fb009dcSAndroid Build Coastguard Worker extern "C++" { 5393*8fb009dcSAndroid Build Coastguard Worker 5394*8fb009dcSAndroid Build Coastguard Worker BSSL_NAMESPACE_BEGIN 5395*8fb009dcSAndroid Build Coastguard Worker 5396*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION_free) 5397*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free) 5398*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free) 5399*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): Move this to conf.h and rename to CONF_VALUE_free. 5400*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(CONF_VALUE, X509V3_conf_free) 5401*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free) 5402*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(GENERAL_NAME, GENERAL_NAME_free) 5403*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(GENERAL_SUBTREE, GENERAL_SUBTREE_free) 5404*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(NAME_CONSTRAINTS, NAME_CONSTRAINTS_free) 5405*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(NETSCAPE_SPKI, NETSCAPE_SPKI_free) 5406*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(POLICY_MAPPING, POLICY_MAPPING_free) 5407*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free) 5408*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(RSA_PSS_PARAMS, RSA_PSS_PARAMS_free) 5409*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509, X509_free) 5410*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_UP_REF(X509, X509_up_ref) 5411*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_ALGOR, X509_ALGOR_free) 5412*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_ATTRIBUTE, X509_ATTRIBUTE_free) 5413*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_CRL, X509_CRL_free) 5414*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_UP_REF(X509_CRL, X509_CRL_up_ref) 5415*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_EXTENSION, X509_EXTENSION_free) 5416*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_INFO, X509_INFO_free) 5417*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free) 5418*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free) 5419*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free) 5420*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_OBJECT, X509_OBJECT_free) 5421*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free) 5422*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free) 5423*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free) 5424*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_SIG, X509_SIG_free) 5425*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_STORE, X509_STORE_free) 5426*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_UP_REF(X509_STORE, X509_STORE_up_ref) 5427*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_STORE_CTX, X509_STORE_CTX_free) 5428*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(X509_VERIFY_PARAM, X509_VERIFY_PARAM_free) 5429*8fb009dcSAndroid Build Coastguard Worker 5430*8fb009dcSAndroid Build Coastguard Worker BSSL_NAMESPACE_END 5431*8fb009dcSAndroid Build Coastguard Worker 5432*8fb009dcSAndroid Build Coastguard Worker } // extern C++ 5433*8fb009dcSAndroid Build Coastguard Worker #endif // !BORINGSSL_NO_CXX 5434*8fb009dcSAndroid Build Coastguard Worker 5435*8fb009dcSAndroid Build Coastguard Worker #define X509_R_AKID_MISMATCH 100 5436*8fb009dcSAndroid Build Coastguard Worker #define X509_R_BAD_PKCS7_VERSION 101 5437*8fb009dcSAndroid Build Coastguard Worker #define X509_R_BAD_X509_FILETYPE 102 5438*8fb009dcSAndroid Build Coastguard Worker #define X509_R_BASE64_DECODE_ERROR 103 5439*8fb009dcSAndroid Build Coastguard Worker #define X509_R_CANT_CHECK_DH_KEY 104 5440*8fb009dcSAndroid Build Coastguard Worker #define X509_R_CERT_ALREADY_IN_HASH_TABLE 105 5441*8fb009dcSAndroid Build Coastguard Worker #define X509_R_CRL_ALREADY_DELTA 106 5442*8fb009dcSAndroid Build Coastguard Worker #define X509_R_CRL_VERIFY_FAILURE 107 5443*8fb009dcSAndroid Build Coastguard Worker #define X509_R_IDP_MISMATCH 108 5444*8fb009dcSAndroid Build Coastguard Worker #define X509_R_INVALID_BIT_STRING_BITS_LEFT 109 5445*8fb009dcSAndroid Build Coastguard Worker #define X509_R_INVALID_DIRECTORY 110 5446*8fb009dcSAndroid Build Coastguard Worker #define X509_R_INVALID_FIELD_NAME 111 5447*8fb009dcSAndroid Build Coastguard Worker #define X509_R_INVALID_PSS_PARAMETERS 112 5448*8fb009dcSAndroid Build Coastguard Worker #define X509_R_INVALID_TRUST 113 5449*8fb009dcSAndroid Build Coastguard Worker #define X509_R_ISSUER_MISMATCH 114 5450*8fb009dcSAndroid Build Coastguard Worker #define X509_R_KEY_TYPE_MISMATCH 115 5451*8fb009dcSAndroid Build Coastguard Worker #define X509_R_KEY_VALUES_MISMATCH 116 5452*8fb009dcSAndroid Build Coastguard Worker #define X509_R_LOADING_CERT_DIR 117 5453*8fb009dcSAndroid Build Coastguard Worker #define X509_R_LOADING_DEFAULTS 118 5454*8fb009dcSAndroid Build Coastguard Worker #define X509_R_NEWER_CRL_NOT_NEWER 119 5455*8fb009dcSAndroid Build Coastguard Worker #define X509_R_NOT_PKCS7_SIGNED_DATA 120 5456*8fb009dcSAndroid Build Coastguard Worker #define X509_R_NO_CERTIFICATES_INCLUDED 121 5457*8fb009dcSAndroid Build Coastguard Worker #define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 122 5458*8fb009dcSAndroid Build Coastguard Worker #define X509_R_NO_CRLS_INCLUDED 123 5459*8fb009dcSAndroid Build Coastguard Worker #define X509_R_NO_CRL_NUMBER 124 5460*8fb009dcSAndroid Build Coastguard Worker #define X509_R_PUBLIC_KEY_DECODE_ERROR 125 5461*8fb009dcSAndroid Build Coastguard Worker #define X509_R_PUBLIC_KEY_ENCODE_ERROR 126 5462*8fb009dcSAndroid Build Coastguard Worker #define X509_R_SHOULD_RETRY 127 5463*8fb009dcSAndroid Build Coastguard Worker #define X509_R_UNKNOWN_KEY_TYPE 128 5464*8fb009dcSAndroid Build Coastguard Worker #define X509_R_UNKNOWN_NID 129 5465*8fb009dcSAndroid Build Coastguard Worker #define X509_R_UNKNOWN_PURPOSE_ID 130 5466*8fb009dcSAndroid Build Coastguard Worker #define X509_R_UNKNOWN_TRUST_ID 131 5467*8fb009dcSAndroid Build Coastguard Worker #define X509_R_UNSUPPORTED_ALGORITHM 132 5468*8fb009dcSAndroid Build Coastguard Worker #define X509_R_WRONG_LOOKUP_TYPE 133 5469*8fb009dcSAndroid Build Coastguard Worker #define X509_R_WRONG_TYPE 134 5470*8fb009dcSAndroid Build Coastguard Worker #define X509_R_NAME_TOO_LONG 135 5471*8fb009dcSAndroid Build Coastguard Worker #define X509_R_INVALID_PARAMETER 136 5472*8fb009dcSAndroid Build Coastguard Worker #define X509_R_SIGNATURE_ALGORITHM_MISMATCH 137 5473*8fb009dcSAndroid Build Coastguard Worker #define X509_R_DELTA_CRL_WITHOUT_CRL_NUMBER 138 5474*8fb009dcSAndroid Build Coastguard Worker #define X509_R_INVALID_FIELD_FOR_VERSION 139 5475*8fb009dcSAndroid Build Coastguard Worker #define X509_R_INVALID_VERSION 140 5476*8fb009dcSAndroid Build Coastguard Worker #define X509_R_NO_CERTIFICATE_FOUND 141 5477*8fb009dcSAndroid Build Coastguard Worker #define X509_R_NO_CERTIFICATE_OR_CRL_FOUND 142 5478*8fb009dcSAndroid Build Coastguard Worker #define X509_R_NO_CRL_FOUND 143 5479*8fb009dcSAndroid Build Coastguard Worker #define X509_R_INVALID_POLICY_EXTENSION 144 5480*8fb009dcSAndroid Build Coastguard Worker 5481*8fb009dcSAndroid Build Coastguard Worker #endif // OPENSSL_HEADER_X509_H 5482