grpc 1.53.0 → 1.54.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (695) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +80 -66
  3. data/include/grpc/event_engine/event_engine.h +30 -14
  4. data/include/grpc/grpc_security.h +4 -0
  5. data/include/grpc/impl/grpc_types.h +11 -2
  6. data/include/grpc/support/port_platform.h +4 -4
  7. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
  8. data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
  9. data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
  10. data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
  11. data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
  12. data/src/core/ext/filters/client_channel/client_channel.h +131 -173
  13. data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
  14. data/src/core/ext/filters/client_channel/config_selector.h +4 -3
  15. data/src/core/ext/filters/client_channel/http_proxy.cc +1 -1
  16. data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
  17. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
  18. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
  19. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2 -16
  20. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
  21. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
  22. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
  24. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
  25. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
  26. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
  27. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
  28. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
  29. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
  30. data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
  31. data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
  32. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
  33. data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
  34. data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
  35. data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
  36. data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
  37. data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
  38. data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
  39. data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
  40. data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
  41. data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
  42. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
  43. data/src/core/ext/gcp/metadata_query.cc +137 -0
  44. data/src/core/ext/gcp/metadata_query.h +87 -0
  45. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
  46. data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +12 -8
  47. data/src/core/ext/transport/chttp2/transport/bin_encoder.h +5 -1
  48. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +149 -60
  49. data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
  50. data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
  51. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
  52. data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +118 -222
  53. data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +295 -113
  54. data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +2 -0
  55. data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.h +2 -0
  56. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +466 -273
  57. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +7 -3
  58. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +14 -12
  59. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +9 -1
  60. data/src/core/ext/transport/chttp2/transport/internal.h +18 -3
  61. data/src/core/ext/transport/chttp2/transport/parsing.cc +9 -2
  62. data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
  63. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
  64. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
  65. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
  66. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
  67. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
  68. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
  69. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
  70. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
  71. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
  72. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
  73. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
  74. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
  75. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
  76. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
  77. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
  78. data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
  79. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
  80. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
  81. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
  82. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
  83. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
  84. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
  85. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
  86. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
  87. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
  88. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
  89. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
  90. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
  91. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
  92. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
  93. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
  94. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
  95. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
  96. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
  97. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
  98. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
  99. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
  100. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
  101. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
  102. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
  103. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
  104. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
  105. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
  106. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
  107. data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
  108. data/src/core/ext/xds/xds_client_stats.cc +29 -15
  109. data/src/core/ext/xds/xds_client_stats.h +24 -20
  110. data/src/core/ext/xds/xds_endpoint.cc +5 -2
  111. data/src/core/ext/xds/xds_endpoint.h +9 -1
  112. data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
  113. data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
  114. data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
  115. data/src/core/{ext/filters/client_channel/resolver/dns/dns_resolver_selection.h → lib/backoff/random_early_detection.cc} +14 -12
  116. data/src/core/lib/backoff/random_early_detection.h +59 -0
  117. data/src/core/lib/channel/call_finalization.h +1 -1
  118. data/src/core/lib/channel/call_tracer.cc +51 -0
  119. data/src/core/lib/channel/call_tracer.h +101 -38
  120. data/src/core/lib/channel/connected_channel.cc +483 -1050
  121. data/src/core/lib/channel/context.h +8 -1
  122. data/src/core/lib/channel/promise_based_filter.cc +106 -42
  123. data/src/core/lib/channel/promise_based_filter.h +27 -13
  124. data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
  125. data/src/core/lib/config/config_vars.cc +151 -0
  126. data/src/core/lib/config/config_vars.h +127 -0
  127. data/src/core/lib/config/config_vars_non_generated.cc +51 -0
  128. data/src/core/lib/config/load_config.cc +66 -0
  129. data/src/core/lib/config/load_config.h +49 -0
  130. data/src/core/lib/debug/trace.cc +5 -6
  131. data/src/core/lib/debug/trace.h +0 -5
  132. data/src/core/lib/event_engine/event_engine.cc +37 -2
  133. data/src/core/lib/event_engine/handle_containers.h +7 -22
  134. data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
  135. data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
  136. data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
  137. data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
  138. data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
  139. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
  140. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -3
  141. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
  142. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
  143. data/src/core/lib/event_engine/resolved_address.cc +2 -1
  144. data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
  145. data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
  146. data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
  147. data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
  148. data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
  149. data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
  150. data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
  151. data/src/core/lib/experiments/config.cc +3 -10
  152. data/src/core/lib/experiments/experiments.cc +7 -0
  153. data/src/core/lib/experiments/experiments.h +9 -1
  154. data/src/core/lib/gpr/log.cc +15 -28
  155. data/src/core/lib/gprpp/fork.cc +8 -14
  156. data/src/core/lib/gprpp/orphanable.h +4 -3
  157. data/src/core/lib/gprpp/per_cpu.h +9 -3
  158. data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
  159. data/src/core/lib/gprpp/ref_counted.h +33 -34
  160. data/src/core/lib/gprpp/thd.h +16 -0
  161. data/src/core/lib/gprpp/time.cc +1 -0
  162. data/src/core/lib/gprpp/time.h +4 -4
  163. data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
  164. data/src/core/lib/iomgr/call_combiner.h +2 -2
  165. data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
  166. data/src/core/lib/iomgr/endpoint_pair.h +2 -2
  167. data/src/core/lib/iomgr/endpoint_pair_posix.cc +2 -2
  168. data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
  169. data/src/core/lib/iomgr/ev_posix.cc +13 -53
  170. data/src/core/lib/iomgr/ev_posix.h +0 -3
  171. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
  172. data/src/core/lib/iomgr/iomgr.cc +4 -8
  173. data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
  174. data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
  175. data/src/core/lib/iomgr/pollset_windows.cc +1 -1
  176. data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
  177. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
  178. data/src/core/lib/iomgr/tcp_posix.cc +0 -1
  179. data/src/core/lib/iomgr/tcp_server_posix.cc +5 -16
  180. data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
  181. data/src/core/lib/iomgr/tcp_windows.cc +12 -8
  182. data/src/core/lib/load_balancing/lb_policy.cc +9 -13
  183. data/src/core/lib/load_balancing/lb_policy.h +4 -2
  184. data/src/core/lib/promise/activity.cc +22 -6
  185. data/src/core/lib/promise/activity.h +61 -24
  186. data/src/core/lib/promise/cancel_callback.h +77 -0
  187. data/src/core/lib/promise/detail/basic_seq.h +1 -1
  188. data/src/core/lib/promise/detail/promise_factory.h +4 -0
  189. data/src/core/lib/promise/for_each.h +176 -0
  190. data/src/core/lib/promise/if.h +9 -0
  191. data/src/core/lib/promise/interceptor_list.h +23 -2
  192. data/src/core/lib/promise/latch.h +89 -3
  193. data/src/core/lib/promise/loop.h +13 -9
  194. data/src/core/lib/promise/map.h +7 -0
  195. data/src/core/lib/promise/party.cc +286 -0
  196. data/src/core/lib/promise/party.h +499 -0
  197. data/src/core/lib/promise/pipe.h +197 -57
  198. data/src/core/lib/promise/poll.h +48 -0
  199. data/src/core/lib/promise/promise.h +2 -2
  200. data/src/core/lib/resource_quota/arena.cc +19 -3
  201. data/src/core/lib/resource_quota/arena.h +119 -5
  202. data/src/core/lib/resource_quota/memory_quota.cc +1 -1
  203. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
  204. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
  205. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
  206. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
  207. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
  208. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
  209. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
  210. data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
  211. data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
  212. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
  213. data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
  214. data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
  215. data/src/core/lib/slice/slice.cc +1 -1
  216. data/src/core/lib/surface/builtins.cc +2 -0
  217. data/src/core/lib/surface/call.cc +926 -1024
  218. data/src/core/lib/surface/call.h +10 -0
  219. data/src/core/lib/surface/lame_client.cc +1 -0
  220. data/src/core/lib/surface/validate_metadata.cc +43 -42
  221. data/src/core/lib/surface/validate_metadata.h +9 -0
  222. data/src/core/lib/surface/version.cc +2 -2
  223. data/src/core/lib/transport/batch_builder.cc +179 -0
  224. data/src/core/lib/transport/batch_builder.h +468 -0
  225. data/src/core/lib/transport/bdp_estimator.cc +7 -7
  226. data/src/core/lib/transport/bdp_estimator.h +10 -6
  227. data/src/core/lib/transport/custom_metadata.h +30 -0
  228. data/src/core/lib/transport/metadata_batch.cc +9 -6
  229. data/src/core/lib/transport/metadata_batch.h +168 -18
  230. data/src/core/lib/transport/parsed_metadata.h +19 -9
  231. data/src/core/lib/transport/timeout_encoding.cc +6 -1
  232. data/src/core/lib/transport/transport.cc +30 -2
  233. data/src/core/lib/transport/transport.h +70 -14
  234. data/src/core/lib/transport/transport_impl.h +7 -0
  235. data/src/core/lib/transport/transport_op_string.cc +52 -42
  236. data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
  237. data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
  238. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
  239. data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
  240. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
  241. data/src/core/tsi/ssl_transport_security.cc +4 -2
  242. data/src/ruby/lib/grpc/version.rb +1 -1
  243. data/third_party/abseil-cpp/absl/base/config.h +1 -1
  244. data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
  245. data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
  246. data/third_party/abseil-cpp/absl/flags/config.h +68 -0
  247. data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
  248. data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
  249. data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
  250. data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
  251. data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
  252. data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
  253. data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
  254. data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
  255. data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
  256. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
  257. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
  258. data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
  259. data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
  260. data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
  261. data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
  262. data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
  263. data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
  264. data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
  265. data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
  266. data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
  267. data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
  268. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
  269. data/third_party/boringssl-with-bazel/err_data.c +728 -712
  270. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
  271. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
  272. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
  273. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
  274. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
  275. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
  276. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
  277. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
  278. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
  279. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
  280. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
  281. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
  282. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
  283. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
  284. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
  285. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
  286. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
  287. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
  288. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
  289. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
  290. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
  291. data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
  292. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
  293. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
  294. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
  295. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
  296. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
  297. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
  298. data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
  299. data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
  300. data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
  301. data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
  302. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
  303. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
  304. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
  305. data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
  306. data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
  307. data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
  308. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
  309. data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
  310. data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
  311. data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
  312. data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
  313. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
  314. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
  315. data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
  316. data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
  317. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
  318. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
  319. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
  320. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
  321. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
  322. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
  323. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
  324. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
  325. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
  326. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
  327. data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
  328. data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
  329. data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
  330. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
  331. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
  332. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
  333. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
  334. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
  335. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
  336. data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
  337. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
  338. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
  339. data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
  340. data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
  341. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
  342. data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
  343. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
  344. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
  345. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
  346. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
  347. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
  348. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
  349. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
  350. data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
  351. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
  352. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
  353. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
  354. data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
  355. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
  356. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
  357. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
  358. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
  359. data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
  360. data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
  361. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
  362. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
  363. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
  364. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
  365. data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
  366. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
  367. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
  368. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
  369. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
  370. data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
  371. data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
  372. data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
  373. data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
  374. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
  375. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
  376. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
  377. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
  378. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
  379. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
  380. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
  381. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
  382. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
  383. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
  384. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
  385. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
  386. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
  387. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
  388. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
  389. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
  390. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
  391. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
  392. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
  393. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
  394. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
  395. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
  396. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
  397. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
  398. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
  399. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
  400. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
  401. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
  402. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
  403. data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
  404. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
  405. data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
  406. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
  407. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
  408. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
  409. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
  410. data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
  411. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
  412. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
  413. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
  414. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
  415. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
  416. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
  417. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
  418. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
  419. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
  420. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
  421. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
  422. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
  423. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
  424. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
  425. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
  426. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
  427. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
  428. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
  429. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
  430. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
  431. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
  432. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
  433. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
  434. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
  435. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
  436. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
  437. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
  438. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
  439. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
  440. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
  441. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
  442. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
  443. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
  444. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
  445. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
  446. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
  447. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
  448. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
  449. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
  450. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
  451. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
  452. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
  453. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
  454. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
  455. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
  456. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
  457. data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
  458. data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
  459. data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
  460. data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
  461. data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
  462. data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
  463. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
  464. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
  465. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
  466. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
  467. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
  468. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
  469. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
  470. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
  471. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
  472. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
  473. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
  474. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
  475. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
  476. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
  477. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
  478. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
  479. data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
  480. data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
  481. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
  482. data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
  483. data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
  484. data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
  485. data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
  486. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
  487. data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
  488. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
  489. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
  490. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
  491. data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
  492. data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
  493. data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
  494. data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
  495. data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
  496. data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
  497. data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
  498. data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
  499. data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
  500. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
  501. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
  502. data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
  503. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
  504. data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
  505. data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
  506. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
  507. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
  508. data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
  509. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
  510. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
  511. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
  512. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
  513. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
  514. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
  515. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
  516. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
  517. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
  518. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
  519. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
  520. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
  521. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
  522. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
  523. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
  524. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
  525. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
  526. data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
  527. data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
  528. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
  529. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
  530. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
  531. data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
  532. data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
  533. data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
  534. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
  535. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
  536. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
  537. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
  538. data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
  539. data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
  540. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
  541. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
  542. data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
  543. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
  544. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
  545. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
  546. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
  547. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
  548. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
  549. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
  550. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
  551. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
  552. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
  553. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
  554. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
  555. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
  556. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
  557. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
  558. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
  559. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
  560. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
  561. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
  562. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
  563. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
  564. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
  565. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
  566. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
  567. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
  568. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
  569. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
  570. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
  571. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
  572. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
  573. data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
  574. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
  575. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
  576. data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
  577. data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
  578. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
  579. data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
  580. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
  581. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
  582. data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
  583. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
  584. data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
  585. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
  586. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
  587. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
  588. data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
  589. data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
  590. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
  591. data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
  592. data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
  593. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
  594. data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
  595. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
  596. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
  597. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
  598. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
  599. data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
  600. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
  601. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
  602. data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
  603. data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
  604. data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
  605. data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
  606. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
  607. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
  608. data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
  609. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
  610. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
  611. data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
  612. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
  613. data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
  614. data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
  615. data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
  616. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
  617. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
  618. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
  619. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
  620. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
  621. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
  622. data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
  623. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
  624. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  625. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
  626. data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
  627. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
  628. data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
  629. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
  630. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
  631. data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
  632. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
  633. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
  634. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
  635. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
  636. data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
  637. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
  638. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
  639. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
  640. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
  641. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
  642. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
  643. data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
  644. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
  645. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
  646. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
  647. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
  648. metadata +105 -70
  649. data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
  650. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
  651. data/src/core/lib/gprpp/global_config.h +0 -93
  652. data/src/core/lib/gprpp/global_config_env.cc +0 -140
  653. data/src/core/lib/gprpp/global_config_env.h +0 -133
  654. data/src/core/lib/gprpp/global_config_generic.h +0 -40
  655. data/src/core/lib/promise/intra_activity_waiter.h +0 -55
  656. data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
  657. data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
  658. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
  659. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
  660. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
  661. data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
  662. data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
  663. data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
  664. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
  665. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
  666. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
  667. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
  668. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
  669. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
  670. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
  671. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
  672. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
  673. /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
  674. /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
  675. /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
  676. /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
  677. /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
  678. /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
  679. /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
  680. /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
  681. /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
  682. /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
  683. /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
  684. /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
  685. /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
  686. /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
  687. /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
  688. /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
  689. /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
  690. /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
  691. /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
  692. /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
  693. /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
  694. /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
  695. /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -60,8 +60,8 @@
60
60
  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
61
61
  */
62
62
 
63
- #ifndef HEADER_X509_H
64
- #define HEADER_X509_H
63
+ #ifndef OPENSSL_HEADER_X509_H
64
+ #define OPENSSL_HEADER_X509_H
65
65
 
66
66
  #include <openssl/asn1.h>
67
67
  #include <openssl/base.h>
@@ -90,10 +90,1475 @@ extern "C" {
90
90
  // Legacy X.509 library.
91
91
  //
92
92
  // This header is part of OpenSSL's X.509 implementation. It is retained for
93
- // compatibility but otherwise underdocumented and not actively maintained. In
94
- // the future, a replacement library will be available. Meanwhile, minimize
93
+ // compatibility but should not be used by new code. The functions are difficult
94
+ // to use correctly, and have buggy or non-standard behaviors. They are thus
95
+ // particularly prone to behavior changes and API removals, as BoringSSL
96
+ // iterates on these issues.
97
+ //
98
+ // In the future, a replacement library will be available. Meanwhile, minimize
95
99
  // dependencies on this header where possible.
100
+ //
101
+ // TODO(https://crbug.com/boringssl/426): Documentation for this library is
102
+ // still in progress. Some functions have not yet been documented, and some
103
+ // functions have not yet been grouped into sections.
104
+
105
+
106
+ // Certificates.
107
+ //
108
+ // An |X509| object represents an X.509 certificate, defined in RFC 5280.
109
+ //
110
+ // Although an |X509| is a mutable object, mutating an |X509| can give incorrect
111
+ // results. Callers typically obtain |X509|s by parsing some input with
112
+ // |d2i_X509|, etc. Such objects carry information such as the serialized
113
+ // TBSCertificate and decoded extensions, which will become inconsistent when
114
+ // mutated.
115
+ //
116
+ // Instead, mutation functions should only be used when issuing new
117
+ // certificates, as described in a later section.
118
+
119
+ DEFINE_STACK_OF(X509)
120
+
121
+ // X509 is an |ASN1_ITEM| whose ASN.1 type is X.509 Certificate (RFC 5280) and C
122
+ // type is |X509*|.
123
+ DECLARE_ASN1_ITEM(X509)
124
+
125
+ // X509_up_ref adds one to the reference count of |x509| and returns one.
126
+ OPENSSL_EXPORT int X509_up_ref(X509 *x509);
127
+
128
+ // X509_chain_up_ref returns a newly-allocated |STACK_OF(X509)| containing a
129
+ // shallow copy of |chain|, or NULL on error. That is, the return value has the
130
+ // same contents as |chain|, and each |X509|'s reference count is incremented by
131
+ // one.
132
+ OPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);
133
+
134
+ // X509_dup returns a newly-allocated copy of |x509|, or NULL on error. This
135
+ // function works by serializing the structure, so auxiliary properties (see
136
+ // |i2d_X509_AUX|) are not preserved. Additionally, if |x509| is incomplete,
137
+ // this function may fail.
138
+ //
139
+ // TODO(https://crbug.com/boringssl/407): This function should be const and
140
+ // thread-safe but is currently neither in some cases, notably if |crl| was
141
+ // mutated.
142
+ OPENSSL_EXPORT X509 *X509_dup(X509 *x509);
143
+
144
+ // X509_free decrements |x509|'s reference count and, if zero, releases memory
145
+ // associated with |x509|.
146
+ OPENSSL_EXPORT void X509_free(X509 *x509);
147
+
148
+ // d2i_X509 parses up to |len| bytes from |*inp| as a DER-encoded X.509
149
+ // Certificate (RFC 5280), as described in |d2i_SAMPLE|.
150
+ OPENSSL_EXPORT X509 *d2i_X509(X509 **out, const uint8_t **inp, long len);
151
+
152
+ // X509_parse_from_buffer parses an X.509 structure from |buf| and returns a
153
+ // fresh X509 or NULL on error. There must not be any trailing data in |buf|.
154
+ // The returned structure (if any) holds a reference to |buf| rather than
155
+ // copying parts of it as a normal |d2i_X509| call would do.
156
+ OPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf);
157
+
158
+ // i2d_X509 marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280), as
159
+ // described in |i2d_SAMPLE|.
160
+ //
161
+ // TODO(https://crbug.com/boringssl/407): This function should be const and
162
+ // thread-safe but is currently neither in some cases, notably if |x509| was
163
+ // mutated.
164
+ OPENSSL_EXPORT int i2d_X509(X509 *x509, uint8_t **outp);
165
+
166
+ // X509_VERSION_* are X.509 version numbers. Note the numerical values of all
167
+ // defined X.509 versions are one less than the named version.
168
+ #define X509_VERSION_1 0
169
+ #define X509_VERSION_2 1
170
+ #define X509_VERSION_3 2
171
+
172
+ // X509_get_version returns the numerical value of |x509|'s version, which will
173
+ // be one of the |X509_VERSION_*| constants.
174
+ OPENSSL_EXPORT long X509_get_version(const X509 *x509);
175
+
176
+ // X509_get0_serialNumber returns |x509|'s serial number.
177
+ OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509);
178
+
179
+ // X509_get0_notBefore returns |x509|'s notBefore time.
180
+ OPENSSL_EXPORT const ASN1_TIME *X509_get0_notBefore(const X509 *x509);
181
+
182
+ // X509_get0_notAfter returns |x509|'s notAfter time.
183
+ OPENSSL_EXPORT const ASN1_TIME *X509_get0_notAfter(const X509 *x509);
184
+
185
+ // X509_get_issuer_name returns |x509|'s issuer.
186
+ OPENSSL_EXPORT X509_NAME *X509_get_issuer_name(const X509 *x509);
187
+
188
+ // X509_get_subject_name returns |x509|'s subject.
189
+ OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509);
190
+
191
+ // X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is
192
+ // not const-correct for legacy reasons. Callers should not modify the returned
193
+ // object.
194
+ OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509);
195
+
196
+ // X509_get_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the
197
+ // public key was unsupported or could not be decoded. This function returns a
198
+ // reference to the |EVP_PKEY|. The caller must release the result with
199
+ // |EVP_PKEY_free| when done.
200
+ OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x509);
201
+
202
+ // X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public
203
+ // key. Note this does not contain the AlgorithmIdentifier portion.
204
+ //
205
+ // WARNING: This function returns a non-const pointer for OpenSSL compatibility,
206
+ // but the caller must not modify the resulting object. Doing so will break
207
+ // internal invariants in |x509|.
208
+ OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509);
209
+
210
+ // X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the
211
+ // issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly
212
+ // outputs |x509|'s subjectUID field to |*out_subject_uid|.
213
+ //
214
+ // Callers may pass NULL to either |out_issuer_uid| or |out_subject_uid| to
215
+ // ignore the corresponding field.
216
+ OPENSSL_EXPORT void X509_get0_uids(const X509 *x509,
217
+ const ASN1_BIT_STRING **out_issuer_uid,
218
+ const ASN1_BIT_STRING **out_subject_uid);
219
+
220
+ // X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits
221
+ // it.
222
+ OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions(
223
+ const X509 *x509);
224
+
225
+ // X509_get_ext_count returns the number of extensions in |x|.
226
+ OPENSSL_EXPORT int X509_get_ext_count(const X509 *x);
227
+
228
+ // X509_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for
229
+ // extensions in |x|.
230
+ OPENSSL_EXPORT int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos);
231
+
232
+ // X509_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for
233
+ // extensions in |x|.
234
+ OPENSSL_EXPORT int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj,
235
+ int lastpos);
236
+
237
+ // X509_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but
238
+ // searches for extensions in |x|.
239
+ OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit,
240
+ int lastpos);
241
+
242
+ // X509_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| is
243
+ // out of bounds. This function returns a non-const pointer for OpenSSL
244
+ // compatibility, but callers should not mutate the result.
245
+ OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
246
+
247
+ // X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s
248
+ // TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|.
249
+ //
250
+ // Certificates with mismatched signature algorithms will successfully parse,
251
+ // but they will be rejected when verifying.
252
+ OPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x509);
253
+
254
+ // X509_get0_signature sets |*out_sig| and |*out_alg| to the signature and
255
+ // signature algorithm of |x509|, respectively. Either output pointer may be
256
+ // NULL to ignore the value.
257
+ //
258
+ // This function outputs the outer signature algorithm. For the one in the
259
+ // TBSCertificate, see |X509_get0_tbs_sigalg|. Certificates with mismatched
260
+ // signature algorithms will successfully parse, but they will be rejected when
261
+ // verifying.
262
+ OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig,
263
+ const X509_ALGOR **out_alg,
264
+ const X509 *x509);
265
+
266
+ // X509_get_signature_nid returns the NID corresponding to |x509|'s signature
267
+ // algorithm, or |NID_undef| if the signature algorithm does not correspond to
268
+ // a known NID.
269
+ OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509);
270
+
271
+ // i2d_X509_tbs serializes the TBSCertificate portion of |x509|, as described in
272
+ // |i2d_SAMPLE|.
273
+ //
274
+ // This function preserves the original encoding of the TBSCertificate and may
275
+ // not reflect modifications made to |x509|. It may be used to manually verify
276
+ // the signature of an existing certificate. To generate certificates, use
277
+ // |i2d_re_X509_tbs| instead.
278
+ OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp);
279
+
280
+
281
+ // Issuing certificates.
282
+ //
283
+ // An |X509| object may also represent an incomplete certificate. Callers may
284
+ // construct empty |X509| objects, fill in fields individually, and finally sign
285
+ // the result. The following functions may be used for this purpose.
286
+
287
+ // X509_new returns a newly-allocated, empty |X509| object, or NULL on error.
288
+ // This produces an incomplete certificate which may be filled in to issue a new
289
+ // certificate.
290
+ OPENSSL_EXPORT X509 *X509_new(void);
291
+
292
+ // X509_set_version sets |x509|'s version to |version|, which should be one of
293
+ // the |X509V_VERSION_*| constants. It returns one on success and zero on error.
294
+ //
295
+ // If unsure, use |X509_VERSION_3|.
296
+ OPENSSL_EXPORT int X509_set_version(X509 *x509, long version);
297
+
298
+ // X509_set_serialNumber sets |x509|'s serial number to |serial|. It returns one
299
+ // on success and zero on error.
300
+ OPENSSL_EXPORT int X509_set_serialNumber(X509 *x509,
301
+ const ASN1_INTEGER *serial);
302
+
303
+ // X509_set1_notBefore sets |x509|'s notBefore time to |tm|. It returns one on
304
+ // success and zero on error.
305
+ OPENSSL_EXPORT int X509_set1_notBefore(X509 *x509, const ASN1_TIME *tm);
306
+
307
+ // X509_set1_notAfter sets |x509|'s notAfter time to |tm|. it returns one on
308
+ // success and zero on error.
309
+ OPENSSL_EXPORT int X509_set1_notAfter(X509 *x509, const ASN1_TIME *tm);
310
+
311
+ // X509_getm_notBefore returns a mutable pointer to |x509|'s notBefore time.
312
+ OPENSSL_EXPORT ASN1_TIME *X509_getm_notBefore(X509 *x509);
313
+
314
+ // X509_getm_notAfter returns a mutable pointer to |x509|'s notAfter time.
315
+ OPENSSL_EXPORT ASN1_TIME *X509_getm_notAfter(X509 *x);
316
+
317
+ // X509_set_issuer_name sets |x509|'s issuer to a copy of |name|. It returns one
318
+ // on success and zero on error.
319
+ OPENSSL_EXPORT int X509_set_issuer_name(X509 *x509, X509_NAME *name);
320
+
321
+ // X509_set_subject_name sets |x509|'s subject to a copy of |name|. It returns
322
+ // one on success and zero on error.
323
+ OPENSSL_EXPORT int X509_set_subject_name(X509 *x509, X509_NAME *name);
324
+
325
+ // X509_set_pubkey sets |x509|'s public key to |pkey|. It returns one on success
326
+ // and zero on error. This function does not take ownership of |pkey| and
327
+ // internally copies and updates reference counts as needed.
328
+ OPENSSL_EXPORT int X509_set_pubkey(X509 *x509, EVP_PKEY *pkey);
329
+
330
+ // X509_delete_ext removes the extension in |x| at index |loc| and returns the
331
+ // removed extension, or NULL if |loc| was out of bounds. If non-NULL, the
332
+ // caller must release the result with |X509_EXTENSION_free|.
333
+ OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
334
+
335
+ // X509_add_ext adds a copy of |ex| to |x|. It returns one on success and zero
336
+ // on failure. The caller retains ownership of |ex| and can release it
337
+ // independently of |x|.
338
+ //
339
+ // The new extension is inserted at index |loc|, shifting extensions to the
340
+ // right. If |loc| is -1 or out of bounds, the new extension is appended to the
341
+ // list.
342
+ OPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc);
343
+
344
+ // X509_sign signs |x509| with |pkey| and replaces the signature algorithm and
345
+ // signature fields. It returns one on success and zero on error. This function
346
+ // uses digest algorithm |md|, or |pkey|'s default if NULL. Other signing
347
+ // parameters use |pkey|'s defaults. To customize them, use |X509_sign_ctx|.
348
+ OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md);
349
+
350
+ // X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm
351
+ // and signature fields. It returns one on success and zero on error. The
352
+ // signature algorithm and parameters come from |ctx|, which must have been
353
+ // initialized with |EVP_DigestSignInit|. The caller should configure the
354
+ // corresponding |EVP_PKEY_CTX| before calling this function.
355
+ OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx);
356
+
357
+ // i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described
358
+ // in |i2d_SAMPLE|.
359
+ //
360
+ // This function re-encodes the TBSCertificate and may not reflect |x509|'s
361
+ // original encoding. It may be used to manually generate a signature for a new
362
+ // certificate. To verify certificates, use |i2d_X509_tbs| instead.
363
+ OPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, unsigned char **outp);
364
+
365
+ // X509_set1_signature_algo sets |x509|'s signature algorithm to |algo| and
366
+ // returns one on success or zero on error. It updates both the signature field
367
+ // of the TBSCertificate structure, and the signatureAlgorithm field of the
368
+ // Certificate.
369
+ OPENSSL_EXPORT int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo);
370
+
371
+ // X509_set1_signature_value sets |x509|'s signature to a copy of the |sig_len|
372
+ // bytes pointed by |sig|. It returns one on success and zero on error.
373
+ //
374
+ // Due to a specification error, X.509 certificates store signatures in ASN.1
375
+ // BIT STRINGs, but signature algorithms return byte strings rather than bit
376
+ // strings. This function creates a BIT STRING containing a whole number of
377
+ // bytes, with the bit order matching the DER encoding. This matches the
378
+ // encoding used by all X.509 signature algorithms.
379
+ OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig,
380
+ size_t sig_len);
381
+
382
+
383
+ // Auxiliary certificate properties.
384
+ //
385
+ // |X509| objects optionally maintain auxiliary properties. These are not part
386
+ // of the certificates themselves, and thus are not covered by signatures or
387
+ // preserved by the standard serialization. They are used as inputs or outputs
388
+ // to other functions in this library.
389
+
390
+ // i2d_X509_AUX marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280),
391
+ // followed optionally by a separate, OpenSSL-specific structure with auxiliary
392
+ // properties. It behaves as described in |i2d_SAMPLE|.
393
+ //
394
+ // Unlike similarly-named functions, this function does not output a single
395
+ // ASN.1 element. Directly embedding the output in a larger ASN.1 structure will
396
+ // not behave correctly.
397
+ OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, unsigned char **outp);
398
+
399
+ // d2i_X509_AUX parses up to |length| bytes from |*inp| as a DER-encoded X.509
400
+ // Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific
401
+ // structure with auxiliary properties. It behaves as described in |d2i_SAMPLE|.
402
+ //
403
+ // Some auxiliary properties affect trust decisions, so this function should not
404
+ // be used with untrusted input.
405
+ //
406
+ // Unlike similarly-named functions, this function does not parse a single
407
+ // ASN.1 element. Trying to parse data directly embedded in a larger ASN.1
408
+ // structure will not behave correctly.
409
+ OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const unsigned char **inp,
410
+ long length);
411
+
412
+ // X509_alias_set1 sets |x509|'s alias to |len| bytes from |name|. If |name| is
413
+ // NULL, the alias is cleared instead. Aliases are not part of the certificate
414
+ // itself and will not be serialized by |i2d_X509|.
415
+ OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const unsigned char *name,
416
+ int len);
417
+
418
+ // X509_keyid_set1 sets |x509|'s key ID to |len| bytes from |id|. If |id| is
419
+ // NULL, the key ID is cleared instead. Key IDs are not part of the certificate
420
+ // itself and will not be serialized by |i2d_X509|.
421
+ OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const unsigned char *id,
422
+ int len);
423
+
424
+ // X509_alias_get0 looks up |x509|'s alias. If found, it sets |*out_len| to the
425
+ // alias's length and returns a pointer to a buffer containing the contents. If
426
+ // not found, it outputs the empty string by returning NULL and setting
427
+ // |*out_len| to zero.
428
+ //
429
+ // If |x509| was parsed from a PKCS#12 structure (see
430
+ // |PKCS12_get_key_and_certs|), the alias will reflect the friendlyName
431
+ // attribute (RFC 2985).
432
+ //
433
+ // WARNING: In OpenSSL, this function did not set |*out_len| when the alias was
434
+ // missing. Callers that target both OpenSSL and BoringSSL should set the value
435
+ // to zero before calling this function.
436
+ OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x509, int *out_len);
437
+
438
+ // X509_keyid_get0 looks up |x509|'s key ID. If found, it sets |*out_len| to the
439
+ // key ID's length and returns a pointer to a buffer containing the contents. If
440
+ // not found, it outputs the empty string by returning NULL and setting
441
+ // |*out_len| to zero.
442
+ //
443
+ // WARNING: In OpenSSL, this function did not set |*out_len| when the alias was
444
+ // missing. Callers that target both OpenSSL and BoringSSL should set the value
445
+ // to zero before calling this function.
446
+ OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x509, int *out_len);
447
+
448
+
449
+ // Certificate revocation lists.
450
+ //
451
+ // An |X509_CRL| object represents an X.509 certificate revocation list (CRL),
452
+ // defined in RFC 5280. A CRL is a signed list of certificates which are no
453
+ // longer considered valid.
454
+ //
455
+ // Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| can give
456
+ // incorrect results. Callers typically obtain |X509_CRL|s by parsing some input
457
+ // with |d2i_X509_CRL|, etc. Such objects carry information such as the
458
+ // serialized TBSCertList and decoded extensions, which will become inconsistent
459
+ // when mutated.
460
+ //
461
+ // Instead, mutation functions should only be used when issuing new CRLs, as
462
+ // described in a later section.
463
+
464
+ DEFINE_STACK_OF(X509_CRL)
465
+
466
+ // X509_CRL is an |ASN1_ITEM| whose ASN.1 type is X.509 CertificateList (RFC
467
+ // 5280) and C type is |X509_CRL*|.
468
+ DECLARE_ASN1_ITEM(X509_CRL)
469
+
470
+ // X509_CRL_up_ref adds one to the reference count of |crl| and returns one.
471
+ OPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl);
472
+
473
+ // X509_CRL_dup returns a newly-allocated copy of |crl|, or NULL on error. This
474
+ // function works by serializing the structure, so if |crl| is incomplete, it
475
+ // may fail.
476
+ //
477
+ // TODO(https://crbug.com/boringssl/407): This function should be const and
478
+ // thread-safe but is currently neither in some cases, notably if |crl| was
479
+ // mutated.
480
+ OPENSSL_EXPORT X509_CRL *X509_CRL_dup(X509_CRL *crl);
481
+
482
+ // X509_CRL_free decrements |crl|'s reference count and, if zero, releases
483
+ // memory associated with |crl|.
484
+ OPENSSL_EXPORT void X509_CRL_free(X509_CRL *crl);
485
+
486
+ // d2i_X509_CRL parses up to |len| bytes from |*inp| as a DER-encoded X.509
487
+ // CertificateList (RFC 5280), as described in |d2i_SAMPLE|.
488
+ OPENSSL_EXPORT X509_CRL *d2i_X509_CRL(X509_CRL **out, const uint8_t **inp,
489
+ long len);
490
+
491
+ // i2d_X509_CRL marshals |crl| as a X.509 CertificateList (RFC 5280), as
492
+ // described in |i2d_SAMPLE|.
493
+ //
494
+ // TODO(https://crbug.com/boringssl/407): This function should be const and
495
+ // thread-safe but is currently neither in some cases, notably if |crl| was
496
+ // mutated.
497
+ OPENSSL_EXPORT int i2d_X509_CRL(X509_CRL *crl, uint8_t **outp);
498
+
499
+ #define X509_CRL_VERSION_1 0
500
+ #define X509_CRL_VERSION_2 1
501
+
502
+ // X509_CRL_get_version returns the numerical value of |crl|'s version, which
503
+ // will be one of the |X509_CRL_VERSION_*| constants.
504
+ OPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl);
505
+
506
+ // X509_CRL_get0_lastUpdate returns |crl|'s thisUpdate time. The OpenSSL API
507
+ // refers to this field as lastUpdate.
508
+ OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
509
+
510
+ // X509_CRL_get0_nextUpdate returns |crl|'s nextUpdate time, or NULL if |crl|
511
+ // has none.
512
+ OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
513
+
514
+ // X509_CRL_get_issuer returns |crl|'s issuer name. Note this function is not
515
+ // const-correct for legacy reasons.
516
+ OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
517
+
518
+ // X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or
519
+ // NULL if |crl| omits it.
520
+ //
521
+ // TOOD(davidben): This function was originally a macro, without clear const
522
+ // semantics. It should take a const input and give const output, but the latter
523
+ // would break existing callers. For now, we match upstream.
524
+ OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
525
+
526
+ // X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl|
527
+ // omits it.
528
+ OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(
529
+ const X509_CRL *crl);
530
+
531
+ // X509_CRL_get_ext_count returns the number of extensions in |x|.
532
+ OPENSSL_EXPORT int X509_CRL_get_ext_count(const X509_CRL *x);
533
+
534
+ // X509_CRL_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for
535
+ // extensions in |x|.
536
+ OPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid,
537
+ int lastpos);
538
+
539
+ // X509_CRL_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for
540
+ // extensions in |x|.
541
+ OPENSSL_EXPORT int X509_CRL_get_ext_by_OBJ(const X509_CRL *x,
542
+ const ASN1_OBJECT *obj, int lastpos);
543
+
544
+ // X509_CRL_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but
545
+ // searches for extensions in |x|.
546
+ OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit,
547
+ int lastpos);
548
+
549
+ // X509_CRL_get_ext returns the extension in |x| at index |loc|, or NULL if
550
+ // |loc| is out of bounds. This function returns a non-const pointer for OpenSSL
551
+ // compatibility, but callers should not mutate the result.
552
+ OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
553
+
554
+ // X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and
555
+ // signature algorithm of |crl|, respectively. Either output pointer may be NULL
556
+ // to ignore the value.
557
+ //
558
+ // This function outputs the outer signature algorithm, not the one in the
559
+ // TBSCertList. CRLs with mismatched signature algorithms will successfully
560
+ // parse, but they will be rejected when verifying.
561
+ OPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl,
562
+ const ASN1_BIT_STRING **out_sig,
563
+ const X509_ALGOR **out_alg);
564
+
565
+ // X509_CRL_get_signature_nid returns the NID corresponding to |crl|'s signature
566
+ // algorithm, or |NID_undef| if the signature algorithm does not correspond to
567
+ // a known NID.
568
+ OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl);
569
+
570
+ // i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described in
571
+ // |i2d_SAMPLE|.
572
+ //
573
+ // This function preserves the original encoding of the TBSCertList and may not
574
+ // reflect modifications made to |crl|. It may be used to manually verify the
575
+ // signature of an existing CRL. To generate CRLs, use |i2d_re_X509_CRL_tbs|
576
+ // instead.
577
+ OPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
578
+
579
+
580
+ // Issuing certificate revocation lists.
581
+ //
582
+ // An |X509_CRL| object may also represent an incomplete CRL. Callers may
583
+ // construct empty |X509_CRL| objects, fill in fields individually, and finally
584
+ // sign the result. The following functions may be used for this purpose.
585
+
586
+ // X509_CRL_new returns a newly-allocated, empty |X509_CRL| object, or NULL on
587
+ // error. This object may be filled in and then signed to construct a CRL.
588
+ OPENSSL_EXPORT X509_CRL *X509_CRL_new(void);
589
+
590
+ // X509_CRL_set_version sets |crl|'s version to |version|, which should be one
591
+ // of the |X509_CRL_VERSION_*| constants. It returns one on success and zero on
592
+ // error.
593
+ //
594
+ // If unsure, use |X509_CRL_VERSION_2|. Note that, unlike certificates, CRL
595
+ // versions are only defined up to v2. Callers should not use |X509_VERSION_3|.
596
+ OPENSSL_EXPORT int X509_CRL_set_version(X509_CRL *crl, long version);
597
+
598
+ // X509_CRL_set_issuer_name sets |crl|'s issuer to a copy of |name|. It returns
599
+ // one on success and zero on error.
600
+ OPENSSL_EXPORT int X509_CRL_set_issuer_name(X509_CRL *crl, X509_NAME *name);
601
+
602
+ // X509_CRL_set1_lastUpdate sets |crl|'s thisUpdate time to |tm|. It returns one
603
+ // on success and zero on error. The OpenSSL API refers to this field as
604
+ // lastUpdate.
605
+ OPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm);
606
+
607
+ // X509_CRL_set1_nextUpdate sets |crl|'s nextUpdate time to |tm|. It returns one
608
+ // on success and zero on error.
609
+ OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm);
610
+
611
+ // X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns
612
+ // the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the
613
+ // caller must release the result with |X509_EXTENSION_free|.
614
+ OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
615
+
616
+ // X509_CRL_add_ext adds a copy of |ex| to |x|. It returns one on success and
617
+ // zero on failure. The caller retains ownership of |ex| and can release it
618
+ // independently of |x|.
619
+ //
620
+ // The new extension is inserted at index |loc|, shifting extensions to the
621
+ // right. If |loc| is -1 or out of bounds, the new extension is appended to the
622
+ // list.
623
+ OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex,
624
+ int loc);
625
+
626
+ // X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm
627
+ // and signature fields. It returns one on success and zero on error. This
628
+ // function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
629
+ // signing parameters use |pkey|'s defaults. To customize them, use
630
+ // |X509_CRL_sign_ctx|.
631
+ OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey,
632
+ const EVP_MD *md);
633
+
634
+ // X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm
635
+ // and signature fields. It returns one on success and zero on error. The
636
+ // signature algorithm and parameters come from |ctx|, which must have been
637
+ // initialized with |EVP_DigestSignInit|. The caller should configure the
638
+ // corresponding |EVP_PKEY_CTX| before calling this function.
639
+ OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx);
640
+
641
+ // i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described
642
+ // in |i2d_SAMPLE|.
643
+ //
644
+ // This function re-encodes the TBSCertList and may not reflect |crl|'s original
645
+ // encoding. It may be used to manually generate a signature for a new CRL. To
646
+ // verify CRLs, use |i2d_X509_CRL_tbs| instead.
647
+ OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
648
+
649
+ // X509_CRL_set1_signature_algo sets |crl|'s signature algorithm to |algo| and
650
+ // returns one on success or zero on error. It updates both the signature field
651
+ // of the TBSCertList structure, and the signatureAlgorithm field of the CRL.
652
+ OPENSSL_EXPORT int X509_CRL_set1_signature_algo(X509_CRL *crl,
653
+ const X509_ALGOR *algo);
654
+
655
+ // X509_CRL_set1_signature_value sets |crl|'s signature to a copy of the
656
+ // |sig_len| bytes pointed by |sig|. It returns one on success and zero on
657
+ // error.
658
+ //
659
+ // Due to a specification error, X.509 CRLs store signatures in ASN.1 BIT
660
+ // STRINGs, but signature algorithms return byte strings rather than bit
661
+ // strings. This function creates a BIT STRING containing a whole number of
662
+ // bytes, with the bit order matching the DER encoding. This matches the
663
+ // encoding used by all X.509 signature algorithms.
664
+ OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl,
665
+ const uint8_t *sig,
666
+ size_t sig_len);
667
+
668
+
669
+ // Certificate requests.
670
+ //
671
+ // An |X509_REQ| represents a PKCS #10 certificate request (RFC 2986). These are
672
+ // also referred to as certificate signing requests or CSRs. CSRs are a common
673
+ // format used to request a certificate from a CA.
674
+ //
675
+ // Although an |X509_REQ| is a mutable object, mutating an |X509_REQ| can give
676
+ // incorrect results. Callers typically obtain |X509_REQ|s by parsing some input
677
+ // with |d2i_X509_REQ|, etc. Such objects carry information such as the
678
+ // serialized CertificationRequestInfo, which will become inconsistent when
679
+ // mutated.
680
+ //
681
+ // Instead, mutation functions should only be used when issuing new CRLs, as
682
+ // described in a later section.
683
+
684
+ // X509_REQ is an |ASN1_ITEM| whose ASN.1 type is CertificateRequest (RFC 2986)
685
+ // and C type is |X509_REQ*|.
686
+ DECLARE_ASN1_ITEM(X509_REQ)
687
+
688
+ // X509_REQ_dup returns a newly-allocated copy of |req|, or NULL on error. This
689
+ // function works by serializing the structure, so if |req| is incomplete, it
690
+ // may fail.
691
+ //
692
+ // TODO(https://crbug.com/boringssl/407): This function should be const and
693
+ // thread-safe but is currently neither in some cases, notably if |req| was
694
+ // mutated.
695
+ OPENSSL_EXPORT X509_REQ *X509_REQ_dup(X509_REQ *req);
696
+
697
+ // X509_REQ_free releases memory associated with |req|.
698
+ OPENSSL_EXPORT void X509_REQ_free(X509_REQ *req);
699
+
700
+ // d2i_X509_REQ parses up to |len| bytes from |*inp| as a DER-encoded
701
+ // CertificateRequest (RFC 2986), as described in |d2i_SAMPLE|.
702
+ OPENSSL_EXPORT X509_REQ *d2i_X509_REQ(X509_REQ **out, const uint8_t **inp,
703
+ long len);
704
+
705
+ // i2d_X509_REQ marshals |req| as a CertificateRequest (RFC 2986), as described
706
+ // in |i2d_SAMPLE|.
707
+ //
708
+ // TODO(https://crbug.com/boringssl/407): This function should be const and
709
+ // thread-safe but is currently neither in some cases, notably if |req| was
710
+ // mutated.
711
+ OPENSSL_EXPORT int i2d_X509_REQ(X509_REQ *req, uint8_t **outp);
712
+
713
+
714
+ // X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. No other
715
+ // versions are defined.
716
+ #define X509_REQ_VERSION_1 0
717
+
718
+ // X509_REQ_get_version returns the numerical value of |req|'s version. This
719
+ // will always be |X509_REQ_VERSION_1| for valid CSRs. For compatibility,
720
+ // |d2i_X509_REQ| also accepts some invalid version numbers, in which case this
721
+ // function may return other values.
722
+ OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req);
723
+
724
+ // X509_REQ_get_subject_name returns |req|'s subject name. Note this function is
725
+ // not const-correct for legacy reasons.
726
+ OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
727
+
728
+ // X509_REQ_get_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if
729
+ // the public key was unsupported or could not be decoded. This function returns
730
+ // a reference to the |EVP_PKEY|. The caller must release the result with
731
+ // |EVP_PKEY_free| when done.
732
+ OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
733
+
734
+ // X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and
735
+ // signature algorithm of |req|, respectively. Either output pointer may be NULL
736
+ // to ignore the value.
737
+ OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req,
738
+ const ASN1_BIT_STRING **out_sig,
739
+ const X509_ALGOR **out_alg);
740
+
741
+ // X509_REQ_get_signature_nid returns the NID corresponding to |req|'s signature
742
+ // algorithm, or |NID_undef| if the signature algorithm does not correspond to
743
+ // a known NID.
744
+ OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req);
745
+
746
+
747
+ // Issuing certificate requests.
748
+ //
749
+ // An |X509_REQ| object may also represent an incomplete CSR. Callers may
750
+ // construct empty |X509_REQ| objects, fill in fields individually, and finally
751
+ // sign the result. The following functions may be used for this purpose.
752
+
753
+ // X509_REQ_new returns a newly-allocated, empty |X509_REQ| object, or NULL on
754
+ // error. This object may be filled in and then signed to construct a CSR.
755
+ OPENSSL_EXPORT X509_REQ *X509_REQ_new(void);
756
+
757
+ // X509_REQ_set_version sets |req|'s version to |version|, which should be
758
+ // |X509_REQ_VERSION_1|. It returns one on success and zero on error.
759
+ //
760
+ // The only defined CSR version is |X509_REQ_VERSION_1|, so there is no need to
761
+ // call this function.
762
+ OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version);
763
+
764
+ // X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It
765
+ // returns one on success and zero on error.
766
+ OPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
767
+
768
+ // X509_REQ_set_pubkey sets |req|'s public key to |pkey|. It returns one on
769
+ // success and zero on error. This function does not take ownership of |pkey|
770
+ // and internally copies and updates reference counts as needed.
771
+ OPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey);
772
+
773
+ // X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm
774
+ // and signature fields. It returns one on success and zero on error. This
775
+ // function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
776
+ // signing parameters use |pkey|'s defaults. To customize them, use
777
+ // |X509_REQ_sign_ctx|.
778
+ OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey,
779
+ const EVP_MD *md);
780
+
781
+ // X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm
782
+ // and signature fields. It returns one on success and zero on error. The
783
+ // signature algorithm and parameters come from |ctx|, which must have been
784
+ // initialized with |EVP_DigestSignInit|. The caller should configure the
785
+ // corresponding |EVP_PKEY_CTX| before calling this function.
786
+ OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx);
787
+
788
+ // i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986)
789
+ // portion of |req|, as described in |i2d_SAMPLE|.
790
+ //
791
+ // This function re-encodes the CertificationRequestInfo and may not reflect
792
+ // |req|'s original encoding. It may be used to manually generate a signature
793
+ // for a new certificate request.
794
+ OPENSSL_EXPORT int i2d_re_X509_REQ_tbs(X509_REQ *req, uint8_t **outp);
795
+
796
+ // X509_REQ_set1_signature_algo sets |req|'s signature algorithm to |algo| and
797
+ // returns one on success or zero on error.
798
+ OPENSSL_EXPORT int X509_REQ_set1_signature_algo(X509_REQ *req,
799
+ const X509_ALGOR *algo);
800
+
801
+ // X509_REQ_set1_signature_value sets |req|'s signature to a copy of the
802
+ // |sig_len| bytes pointed by |sig|. It returns one on success and zero on
803
+ // error.
804
+ //
805
+ // Due to a specification error, PKCS#10 certificate requests store signatures
806
+ // in ASN.1 BIT STRINGs, but signature algorithms return byte strings rather
807
+ // than bit strings. This function creates a BIT STRING containing a whole
808
+ // number of bytes, with the bit order matching the DER encoding. This matches
809
+ // the encoding used by all X.509 signature algorithms.
810
+ OPENSSL_EXPORT int X509_REQ_set1_signature_value(X509_REQ *req,
811
+ const uint8_t *sig,
812
+ size_t sig_len);
813
+
814
+
815
+ // Names.
816
+ //
817
+ // An |X509_NAME| represents an X.509 Name structure (RFC 5280). X.509 names are
818
+ // a complex, hierarchical structure over a collection of attributes. Each name
819
+ // is sequence of relative distinguished names (RDNs), decreasing in
820
+ // specificity. For example, the first RDN may specify the country, while the
821
+ // next RDN may specify a locality. Each RDN is, itself, a set of attributes.
822
+ // Having more than one attribute in an RDN is uncommon, but possible. Within an
823
+ // RDN, attributes have the same level in specificity. Attribute types are
824
+ // OBJECT IDENTIFIERs. This determines the ASN.1 type of the value, which is
825
+ // commonly a string but may be other types.
826
+ //
827
+ // The |X509_NAME| representation flattens this two-level structure into a
828
+ // single list of attributes. Each attribute is stored in an |X509_NAME_ENTRY|,
829
+ // with also maintains the index of the RDN it is part of, accessible via
830
+ // |X509_NAME_ENTRY_set|. This can be used to recover the two-level structure.
831
+ //
832
+ // X.509 names are largely vestigial. Historically, DNS names were parsed out of
833
+ // the subject's common name attribute, but this is deprecated and has since
834
+ // moved to the subject alternative name extension. In modern usage, X.509 names
835
+ // are primarily opaque identifiers to link a certificate with its issuer.
836
+
837
+ DEFINE_STACK_OF(X509_NAME_ENTRY)
838
+ DEFINE_STACK_OF(X509_NAME)
839
+
840
+ // X509_NAME is an |ASN1_ITEM| whose ASN.1 type is X.509 Name (RFC 5280) and C
841
+ // type is |X509_NAME*|.
842
+ DECLARE_ASN1_ITEM(X509_NAME)
843
+
844
+ // X509_NAME_new returns a new, empty |X509_NAME_new|, or NULL on
845
+ // error.
846
+ OPENSSL_EXPORT X509_NAME *X509_NAME_new(void);
847
+
848
+ // X509_NAME_free releases memory associated with |name|.
849
+ OPENSSL_EXPORT void X509_NAME_free(X509_NAME *name);
850
+
851
+ // d2i_X509_NAME parses up to |len| bytes from |*inp| as a DER-encoded X.509
852
+ // Name (RFC 5280), as described in |d2i_SAMPLE|.
853
+ OPENSSL_EXPORT X509_NAME *d2i_X509_NAME(X509_NAME **out, const uint8_t **inp,
854
+ long len);
855
+
856
+ // i2d_X509_NAME marshals |in| as a DER-encoded X.509 Name (RFC 5280), as
857
+ // described in |i2d_SAMPLE|.
858
+ //
859
+ // TODO(https://crbug.com/boringssl/407): This function should be const and
860
+ // thread-safe but is currently neither in some cases, notably if |in| was
861
+ // mutated.
862
+ OPENSSL_EXPORT int i2d_X509_NAME(X509_NAME *in, uint8_t **outp);
863
+
864
+ // X509_NAME_dup returns a newly-allocated copy of |name|, or NULL on error.
865
+ //
866
+ // TODO(https://crbug.com/boringssl/407): This function should be const and
867
+ // thread-safe but is currently neither in some cases, notably if |name| was
868
+ // mutated.
869
+ OPENSSL_EXPORT X509_NAME *X509_NAME_dup(X509_NAME *name);
870
+
871
+ // X509_NAME_get0_der sets |*out_der| and |*out_der_len|
872
+ //
873
+ // Avoid this function and prefer |i2d_X509_NAME|. It is one of the reasons
874
+ // these functions are not consistently thread-safe or const-correct. Depending
875
+ // on the resolution of https://crbug.com/boringssl/407, this function may be
876
+ // removed or cause poor performance.
877
+ OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *name, const uint8_t **out_der,
878
+ size_t *out_der_len);
879
+
880
+ // X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn|
881
+ // to the copy, and returns one. Otherwise, it returns zero.
882
+ //
883
+ // TODO(https://crbug.com/boringssl/407): This function should be const and
884
+ // thread-safe but is currently neither in some cases, notably if |name| was
885
+ // mutated.
886
+ OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name);
887
+
888
+ // X509_NAME_entry_count returns the number of entries in |name|.
889
+ OPENSSL_EXPORT int X509_NAME_entry_count(const X509_NAME *name);
890
+
891
+ // X509_NAME_get_index_by_NID returns the zero-based index of the first
892
+ // attribute in |name| with type |nid|, or -1 if there is none. |nid| should be
893
+ // one of the |NID_*| constants. If |lastpos| is non-negative, it begins
894
+ // searching at |lastpos+1|. To search all attributes, pass in -1, not zero.
895
+ //
896
+ // Indices from this function refer to |X509_NAME|'s flattened representation.
897
+ OPENSSL_EXPORT int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid,
898
+ int lastpos);
899
+
900
+ // X509_NAME_get_index_by_OBJ behaves like |X509_NAME_get_index_by_NID| but
901
+ // looks for attributes with type |obj|.
902
+ OPENSSL_EXPORT int X509_NAME_get_index_by_OBJ(const X509_NAME *name,
903
+ const ASN1_OBJECT *obj,
904
+ int lastpos);
905
+
906
+ // X509_NAME_get_entry returns the attribute in |name| at index |loc|, or NULL
907
+ // if |loc| is out of range. |loc| is interpreted using |X509_NAME|'s flattened
908
+ // representation. This function returns a non-const pointer for OpenSSL
909
+ // compatibility, but callers should not mutate the result. Doing so will break
910
+ // internal invariants in the library.
911
+ OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name,
912
+ int loc);
913
+
914
+ // X509_NAME_delete_entry removes and returns the attribute in |name| at index
915
+ // |loc|, or NULL if |loc| is out of range. |loc| is interpreted using
916
+ // |X509_NAME|'s flattened representation. If the attribute is found, the caller
917
+ // is responsible for releasing the result with |X509_NAME_ENTRY_free|.
918
+ //
919
+ // This function will internally update RDN indices (see |X509_NAME_ENTRY_set|)
920
+ // so they continue to be consecutive.
921
+ OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name,
922
+ int loc);
923
+
924
+ // X509_NAME_add_entry adds a copy of |entry| to |name| and returns one on
925
+ // success or zero on error. If |loc| is -1, the entry is appended to |name|.
926
+ // Otherwise, it is inserted at index |loc|. If |set| is -1, the entry is added
927
+ // to the previous entry's RDN. If it is 0, the entry becomes a singleton RDN.
928
+ // If 1, it is added to next entry's RDN.
929
+ //
930
+ // This function will internally update RDN indices (see |X509_NAME_ENTRY_set|)
931
+ // so they continue to be consecutive.
932
+ OPENSSL_EXPORT int X509_NAME_add_entry(X509_NAME *name,
933
+ const X509_NAME_ENTRY *entry, int loc,
934
+ int set);
935
+
936
+ // X509_NAME_add_entry_by_OBJ adds a new entry to |name| and returns one on
937
+ // success or zero on error. The entry's attribute type is |obj|. The entry's
938
+ // attribute value is determined by |type|, |bytes|, and |len|, as in
939
+ // |X509_NAME_ENTRY_set_data|. The entry's position is determined by |loc| and
940
+ // |set| as in |X509_NAME_add_entry|.
941
+ OPENSSL_EXPORT int X509_NAME_add_entry_by_OBJ(X509_NAME *name,
942
+ const ASN1_OBJECT *obj, int type,
943
+ const uint8_t *bytes, int len,
944
+ int loc, int set);
945
+
946
+ // X509_NAME_add_entry_by_NID behaves like |X509_NAME_add_entry_by_OBJ| but sets
947
+ // the entry's attribute type to |nid|, which should be one of the |NID_*|
948
+ // constants.
949
+ OPENSSL_EXPORT int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid,
950
+ int type, const uint8_t *bytes,
951
+ int len, int loc, int set);
952
+
953
+ // X509_NAME_add_entry_by_txt behaves like |X509_NAME_add_entry_by_OBJ| but sets
954
+ // the entry's attribute type to |field|, which is passed to |OBJ_txt2obj|.
955
+ OPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name,
956
+ const char *field, int type,
957
+ const uint8_t *bytes, int len,
958
+ int loc, int set);
959
+
960
+ // X509_NAME_ENTRY is an |ASN1_ITEM| whose ASN.1 type is AttributeTypeAndValue
961
+ // (RFC 5280) and C type is |X509_NAME_ENTRY*|.
962
+ DECLARE_ASN1_ITEM(X509_NAME_ENTRY)
963
+
964
+ // X509_NAME_ENTRY_new returns a new, empty |X509_NAME_ENTRY_new|, or NULL on
965
+ // error.
966
+ OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_new(void);
967
+
968
+ // X509_NAME_ENTRY_free releases memory associated with |entry|.
969
+ OPENSSL_EXPORT void X509_NAME_ENTRY_free(X509_NAME_ENTRY *entry);
970
+
971
+ // d2i_X509_NAME_ENTRY parses up to |len| bytes from |*inp| as a DER-encoded
972
+ // AttributeTypeAndValue (RFC 5280), as described in |d2i_SAMPLE|.
973
+ OPENSSL_EXPORT X509_NAME_ENTRY *d2i_X509_NAME_ENTRY(X509_NAME_ENTRY **out,
974
+ const uint8_t **inp,
975
+ long len);
976
+
977
+ // i2d_X509_NAME_ENTRY marshals |in| as a DER-encoded AttributeTypeAndValue (RFC
978
+ // 5280), as described in |i2d_SAMPLE|.
979
+ OPENSSL_EXPORT int i2d_X509_NAME_ENTRY(const X509_NAME_ENTRY *in,
980
+ uint8_t **outp);
981
+
982
+ // X509_NAME_ENTRY_dup returns a newly-allocated copy of |entry|, or NULL on
983
+ // error.
984
+ OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup(
985
+ const X509_NAME_ENTRY *entry);
986
+
987
+ // X509_NAME_ENTRY_get_object returns |entry|'s attribute type. This function
988
+ // returns a non-const pointer for OpenSSL compatibility, but callers should not
989
+ // mutate the result. Doing so will break internal invariants in the library.
990
+ OPENSSL_EXPORT ASN1_OBJECT *X509_NAME_ENTRY_get_object(
991
+ const X509_NAME_ENTRY *entry);
992
+
993
+ // X509_NAME_ENTRY_set_object sets |entry|'s attribute type to |obj|. It returns
994
+ // one on success and zero on error.
995
+ OPENSSL_EXPORT int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *entry,
996
+ const ASN1_OBJECT *obj);
997
+
998
+ // X509_NAME_ENTRY_get_data returns |entry|'s attribute value, represented as an
999
+ // |ASN1_STRING|. This value may have any ASN.1 type, so callers must check the
1000
+ // type before interpreting the contents. This function returns a non-const
1001
+ // pointer for OpenSSL compatibility, but callers should not mutate the result.
1002
+ // Doing so will break internal invariants in the library.
1003
+ //
1004
+ // TODO(https://crbug.com/boringssl/412): Although the spec says any ASN.1 type
1005
+ // is allowed, we currently only allow an ad-hoc set of types. Additionally, it
1006
+ // is unclear if some types can even be represented by this function.
1007
+ OPENSSL_EXPORT ASN1_STRING *X509_NAME_ENTRY_get_data(
1008
+ const X509_NAME_ENTRY *entry);
1009
+
1010
+ // X509_NAME_ENTRY_set_data sets |entry|'s value to |len| bytes from |bytes|. It
1011
+ // returns one on success and zero on error. If |len| is -1, |bytes| must be a
1012
+ // NUL-terminated C string and the length is determined by |strlen|. |bytes| is
1013
+ // converted to an ASN.1 type as follows:
1014
+ //
1015
+ // If |type| is a |MBSTRING_*| constant, the value is an ASN.1 string. The
1016
+ // string is determined by decoding |bytes| in the encoding specified by |type|,
1017
+ // and then re-encoding it in a form appropriate for |entry|'s attribute type.
1018
+ // See |ASN1_STRING_set_by_NID| for details.
1019
+ //
1020
+ // Otherwise, the value is an |ASN1_STRING| with type |type| and value |bytes|.
1021
+ // See |ASN1_STRING| for how to format ASN.1 types as an |ASN1_STRING|. If
1022
+ // |type| is |V_ASN1_UNDEF| the previous |ASN1_STRING| type is reused.
1023
+ OPENSSL_EXPORT int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *entry, int type,
1024
+ const uint8_t *bytes, int len);
1025
+
1026
+ // X509_NAME_ENTRY_set returns the zero-based index of the RDN which contains
1027
+ // |entry|. Consecutive entries with the same index are part of the same RDN.
1028
+ OPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *entry);
1029
+
1030
+ // X509_NAME_ENTRY_create_by_OBJ creates a new |X509_NAME_ENTRY| with attribute
1031
+ // type |obj|. The attribute value is determined from |type|, |bytes|, and |len|
1032
+ // as in |X509_NAME_ENTRY_set_data|. It returns the |X509_NAME_ENTRY| on success
1033
+ // and NULL on error.
1034
+ //
1035
+ // If |out| is non-NULL and |*out| is NULL, it additionally sets |*out| to the
1036
+ // result on success. If both |out| and |*out| are non-NULL, it updates the
1037
+ // object at |*out| instead of allocating a new one.
1038
+ OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(
1039
+ X509_NAME_ENTRY **out, const ASN1_OBJECT *obj, int type,
1040
+ const uint8_t *bytes, int len);
1041
+
1042
+ // X509_NAME_ENTRY_create_by_NID behaves like |X509_NAME_ENTRY_create_by_OBJ|
1043
+ // except the attribute type is |nid|, which should be one of the |NID_*|
1044
+ // constants.
1045
+ OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(
1046
+ X509_NAME_ENTRY **out, int nid, int type, const uint8_t *bytes, int len);
1047
+
1048
+ // X509_NAME_ENTRY_create_by_txt behaves like |X509_NAME_ENTRY_create_by_OBJ|
1049
+ // except the attribute type is |field|, which is passed to |OBJ_txt2obj|.
1050
+ OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(
1051
+ X509_NAME_ENTRY **out, const char *field, int type, const uint8_t *bytes,
1052
+ int len);
1053
+
1054
+
1055
+ // Extensions.
1056
+ //
1057
+ // X.509 certificates and CRLs may contain a list of extensions (RFC 5280).
1058
+ // Extensions have a type, specified by an object identifier (|ASN1_OBJECT|) and
1059
+ // a byte string value, which should a DER-encoded structure whose type is
1060
+ // determined by the extension type. This library represents extensions with the
1061
+ // |X509_EXTENSION| type.
1062
+
1063
+ // X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC
1064
+ // 5280) and C type is |X509_EXTENSION*|.
1065
+ DECLARE_ASN1_ITEM(X509_EXTENSION)
1066
+
1067
+ // X509_EXTENSION_new returns a newly-allocated, empty |X509_EXTENSION| object
1068
+ // or NULL on error.
1069
+ OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_new(void);
1070
+
1071
+ // X509_EXTENSION_free releases memory associated with |ex|.
1072
+ OPENSSL_EXPORT void X509_EXTENSION_free(X509_EXTENSION *ex);
1073
+
1074
+ // d2i_X509_EXTENSION parses up to |len| bytes from |*inp| as a DER-encoded
1075
+ // X.509 Extension (RFC 5280), as described in |d2i_SAMPLE|.
1076
+ OPENSSL_EXPORT X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **out,
1077
+ const uint8_t **inp,
1078
+ long len);
1079
+
1080
+ // i2d_X509_EXTENSION marshals |ex| as a DER-encoded X.509 Extension (RFC
1081
+ // 5280), as described in |i2d_SAMPLE|.
1082
+ OPENSSL_EXPORT int i2d_X509_EXTENSION(const X509_EXTENSION *ex, uint8_t **outp);
1083
+
1084
+ // X509_EXTENSION_dup returns a newly-allocated copy of |ex|, or NULL on error.
1085
+ // This function works by serializing the structure, so if |ex| is incomplete,
1086
+ // it may fail.
1087
+ OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(const X509_EXTENSION *ex);
1088
+
1089
+ // X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|,
1090
+ // value |data|, and critical bit |crit|. It returns an |X509_EXTENSION| on
1091
+ // success, and NULL on error. |nid| should be a |NID_*| constant.
1092
+ //
1093
+ // If |ex| and |*ex| are both non-NULL, |*ex| is used to hold the result,
1094
+ // otherwise a new object is allocated. If |ex| is non-NULL and |*ex| is NULL,
1095
+ // the function sets |*ex| to point to the newly allocated result, in addition
1096
+ // to returning the result.
1097
+ OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_NID(
1098
+ X509_EXTENSION **ex, int nid, int crit, const ASN1_OCTET_STRING *data);
1099
+
1100
+ // X509_EXTENSION_create_by_OBJ behaves like |X509_EXTENSION_create_by_NID|, but
1101
+ // the extension type is determined by an |ASN1_OBJECT|.
1102
+ OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_OBJ(
1103
+ X509_EXTENSION **ex, const ASN1_OBJECT *obj, int crit,
1104
+ const ASN1_OCTET_STRING *data);
1105
+
1106
+ // X509_EXTENSION_get_object returns |ex|'s extension type. This function
1107
+ // returns a non-const pointer for OpenSSL compatibility, but callers should not
1108
+ // mutate the result.
1109
+ OPENSSL_EXPORT ASN1_OBJECT *X509_EXTENSION_get_object(const X509_EXTENSION *ex);
1110
+
1111
+ // X509_EXTENSION_get_data returns |ne|'s extension value. This function returns
1112
+ // a non-const pointer for OpenSSL compatibility, but callers should not mutate
1113
+ // the result.
1114
+ OPENSSL_EXPORT ASN1_OCTET_STRING *X509_EXTENSION_get_data(
1115
+ const X509_EXTENSION *ne);
1116
+
1117
+ // X509_EXTENSION_get_critical returns one if |ex| is critical and zero
1118
+ // otherwise.
1119
+ OPENSSL_EXPORT int X509_EXTENSION_get_critical(const X509_EXTENSION *ex);
1120
+
1121
+ // X509_EXTENSION_set_object sets |ex|'s extension type to |obj|. It returns one
1122
+ // on success and zero on error.
1123
+ OPENSSL_EXPORT int X509_EXTENSION_set_object(X509_EXTENSION *ex,
1124
+ const ASN1_OBJECT *obj);
1125
+
1126
+ // X509_EXTENSION_set_critical sets |ex| to critical if |crit| is non-zero and
1127
+ // to non-critical if |crit| is zero.
1128
+ OPENSSL_EXPORT int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
1129
+
1130
+ // X509_EXTENSION_set_data set's |ex|'s extension value to a copy of |data|. It
1131
+ // returns one on success and zero on error.
1132
+ OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex,
1133
+ const ASN1_OCTET_STRING *data);
1134
+
1135
+
1136
+ // Extension lists.
1137
+ //
1138
+ // The following functions manipulate lists of extensions. Most of them have
1139
+ // corresponding functions on the containing |X509|, |X509_CRL|, or
1140
+ // |X509_REVOKED|.
1141
+
1142
+ DEFINE_STACK_OF(X509_EXTENSION)
1143
+ typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
1144
+
1145
+ // X509_EXTENSIONS is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE of Extension
1146
+ // (RFC 5280) and C type is |STACK_OF(X509_EXTENSION)*|.
1147
+ DECLARE_ASN1_ITEM(X509_EXTENSIONS)
1148
+
1149
+ // d2i_X509_EXTENSIONS parses up to |len| bytes from |*inp| as a DER-encoded
1150
+ // SEQUENCE OF Extension (RFC 5280), as described in |d2i_SAMPLE|.
1151
+ OPENSSL_EXPORT X509_EXTENSIONS *d2i_X509_EXTENSIONS(X509_EXTENSIONS **out,
1152
+ const uint8_t **inp,
1153
+ long len);
1154
+
1155
+ // i2d_X509_EXTENSIONS marshals |alg| as a DER-encoded SEQUENCE OF Extension
1156
+ // (RFC 5280), as described in |i2d_SAMPLE|.
1157
+ OPENSSL_EXPORT int i2d_X509_EXTENSIONS(const X509_EXTENSIONS *alg,
1158
+ uint8_t **outp);
1159
+
1160
+ // X509v3_get_ext_count returns the number of extensions in |x|.
1161
+ OPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
1162
+
1163
+ // X509v3_get_ext_by_NID returns the index of the first extension in |x| with
1164
+ // type |nid|, or a negative number if not found. If found, callers can use
1165
+ // |X509v3_get_ext| to look up the extension by index.
1166
+ //
1167
+ // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
1168
+ // can thus loop over all matching extensions by first passing -1 and then
1169
+ // passing the previously-returned value until no match is returned.
1170
+ OPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
1171
+ int nid, int lastpos);
1172
+
1173
+ // X509v3_get_ext_by_OBJ behaves like |X509v3_get_ext_by_NID| but looks for
1174
+ // extensions matching |obj|.
1175
+ OPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
1176
+ const ASN1_OBJECT *obj, int lastpos);
1177
+
1178
+ // X509v3_get_ext_by_critical returns the index of the first extension in |x|
1179
+ // whose critical bit matches |crit|, or a negative number if no such extension
1180
+ // was found.
1181
+ //
1182
+ // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
1183
+ // can thus loop over all matching extensions by first passing -1 and then
1184
+ // passing the previously-returned value until no match is returned.
1185
+ OPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
1186
+ int crit, int lastpos);
1187
+
1188
+ // X509v3_get_ext returns the extension in |x| at index |loc|, or NULL if |loc|
1189
+ // is out of bounds. This function returns a non-const pointer for OpenSSL
1190
+ // compatibility, but callers should not mutate the result.
1191
+ OPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x,
1192
+ int loc);
1193
+
1194
+ // X509v3_delete_ext removes the extension in |x| at index |loc| and returns the
1195
+ // removed extension, or NULL if |loc| was out of bounds. If an extension was
1196
+ // returned, the caller must release it with |X509_EXTENSION_free|.
1197
+ OPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x,
1198
+ int loc);
1199
+
1200
+ // X509v3_add_ext adds a copy of |ex| to the extension list in |*x|. If |*x| is
1201
+ // NULL, it allocates a new |STACK_OF(X509_EXTENSION)| to hold the copy and sets
1202
+ // |*x| to the new list. It returns |*x| on success and NULL on error. The
1203
+ // caller retains ownership of |ex| and can release it independently of |*x|.
1204
+ //
1205
+ // The new extension is inserted at index |loc|, shifting extensions to the
1206
+ // right. If |loc| is -1 or out of bounds, the new extension is appended to the
1207
+ // list.
1208
+ OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext(
1209
+ STACK_OF(X509_EXTENSION) **x, const X509_EXTENSION *ex, int loc);
1210
+
1211
+
1212
+ // Algorithm identifiers.
1213
+ //
1214
+ // An |X509_ALGOR| represents an AlgorithmIdentifier structure, used in X.509
1215
+ // to represent signature algorithms and public key algorithms.
1216
+
1217
+ DEFINE_STACK_OF(X509_ALGOR)
1218
+
1219
+ // X509_ALGOR is an |ASN1_ITEM| whose ASN.1 type is AlgorithmIdentifier and C
1220
+ // type is |X509_ALGOR*|.
1221
+ DECLARE_ASN1_ITEM(X509_ALGOR)
1222
+
1223
+ // X509_ALGOR_new returns a newly-allocated, empty |X509_ALGOR| object, or NULL
1224
+ // on error.
1225
+ OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_new(void);
1226
+
1227
+ // X509_ALGOR_dup returns a newly-allocated copy of |alg|, or NULL on error.
1228
+ // This function works by serializing the structure, so if |alg| is incomplete,
1229
+ // it may fail.
1230
+ OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_dup(const X509_ALGOR *alg);
1231
+
1232
+ // X509_ALGOR_free releases memory associated with |alg|.
1233
+ OPENSSL_EXPORT void X509_ALGOR_free(X509_ALGOR *alg);
1234
+
1235
+ // d2i_X509_ALGOR parses up to |len| bytes from |*inp| as a DER-encoded
1236
+ // AlgorithmIdentifier, as described in |d2i_SAMPLE|.
1237
+ OPENSSL_EXPORT X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **out, const uint8_t **inp,
1238
+ long len);
1239
+
1240
+ // i2d_X509_ALGOR marshals |alg| as a DER-encoded AlgorithmIdentifier, as
1241
+ // described in |i2d_SAMPLE|.
1242
+ OPENSSL_EXPORT int i2d_X509_ALGOR(const X509_ALGOR *alg, uint8_t **outp);
1243
+
1244
+ // X509_ALGOR_set0 sets |alg| to an AlgorithmIdentifier with algorithm |obj| and
1245
+ // parameter determined by |param_type| and |param_value|. It returns one on
1246
+ // success and zero on error. This function takes ownership of |obj| and
1247
+ // |param_value| on success.
1248
+ //
1249
+ // If |param_type| is |V_ASN1_UNDEF|, the parameter is omitted. If |param_type|
1250
+ // is zero, the parameter is left unchanged. Otherwise, |param_type| and
1251
+ // |param_value| are interpreted as in |ASN1_TYPE_set|.
1252
+ //
1253
+ // Note omitting the parameter (|V_ASN1_UNDEF|) and encoding an explicit NULL
1254
+ // value (|V_ASN1_NULL|) are different. Some algorithms require one and some the
1255
+ // other. Consult the relevant specification before calling this function. The
1256
+ // correct parameter for an RSASSA-PKCS1-v1_5 signature is |V_ASN1_NULL|. The
1257
+ // correct one for an ECDSA or Ed25519 signature is |V_ASN1_UNDEF|.
1258
+ OPENSSL_EXPORT int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *obj,
1259
+ int param_type, void *param_value);
1260
+
1261
+ // X509_ALGOR_get0 sets |*out_obj| to the |alg|'s algorithm. If |alg|'s
1262
+ // parameter is omitted, it sets |*out_param_type| and |*out_param_value| to
1263
+ // |V_ASN1_UNDEF| and NULL. Otherwise, it sets |*out_param_type| and
1264
+ // |*out_param_value| to the parameter, using the same representation as
1265
+ // |ASN1_TYPE_set0|. See |ASN1_TYPE_set0| and |ASN1_TYPE| for details.
1266
+ //
1267
+ // Callers that require the parameter in serialized form should, after checking
1268
+ // for |V_ASN1_UNDEF|, use |ASN1_TYPE_set1| and |d2i_ASN1_TYPE|, rather than
1269
+ // inspecting |*out_param_value|.
1270
+ //
1271
+ // Each of |out_obj|, |out_param_type|, and |out_param_value| may be NULL to
1272
+ // ignore the output. If |out_param_type| is NULL, |out_param_value| is ignored.
1273
+ //
1274
+ // WARNING: If |*out_param_type| is set to |V_ASN1_UNDEF|, OpenSSL and older
1275
+ // revisions of BoringSSL leave |*out_param_value| unset rather than setting it
1276
+ // to NULL. Callers that support both OpenSSL and BoringSSL should not assume
1277
+ // |*out_param_value| is uniformly initialized.
1278
+ OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj,
1279
+ int *out_param_type,
1280
+ const void **out_param_value,
1281
+ const X509_ALGOR *alg);
1282
+
1283
+ // X509_ALGOR_set_md sets |alg| to the hash function |md|. Note this
1284
+ // AlgorithmIdentifier represents the hash function itself, not a signature
1285
+ // algorithm that uses |md|.
1286
+ OPENSSL_EXPORT void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
1287
+
1288
+ // X509_ALGOR_cmp returns zero if |a| and |b| are equal, and some non-zero value
1289
+ // otherwise. Note this function can only be used for equality checks, not an
1290
+ // ordering.
1291
+ OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
1292
+
1293
+
1294
+ // Printing functions.
1295
+ //
1296
+ // The following functions output human-readable representations of
1297
+ // X.509-related structures. They should only be used for debugging or logging
1298
+ // and not parsed programmatically.
1299
+
1300
+ // X509_signature_dump writes a human-readable representation of |sig| to |bio|,
1301
+ // indented with |indent| spaces. It returns one on success and zero on error.
1302
+ OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig,
1303
+ int indent);
1304
+
1305
+ // X509_signature_print writes a human-readable representation of |alg| and
1306
+ // |sig| to |bio|. It returns one on success and zero on error.
1307
+ OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg,
1308
+ const ASN1_STRING *sig);
1309
+
1310
+
1311
+ // Convenience functions.
1312
+
1313
+ // X509_pubkey_digest hashes the contents of the BIT STRING in |x509|'s
1314
+ // subjectPublicKeyInfo field with |md| and writes the result to |out|.
1315
+ // |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. If
1316
+ // |out_len| is not NULL, |*out_len| is set to the number of bytes written. This
1317
+ // function returns one on success and zero on error.
1318
+ //
1319
+ // This hash omits the BIT STRING tag, length, and number of unused bits. It
1320
+ // also omits the AlgorithmIdentifier which describes the key type. It
1321
+ // corresponds to the OCSP KeyHash definition and is not suitable for other
1322
+ // purposes.
1323
+ OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md,
1324
+ uint8_t *out, unsigned *out_len);
1325
+
1326
+ // X509_digest hashes |x509|'s DER encoding with |md| and writes the result to
1327
+ // |out|. |EVP_MD_CTX_size| bytes are written, which is at most
1328
+ // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
1329
+ // of bytes written. This function returns one on success and zero on error.
1330
+ // Note this digest covers the entire certificate, not just the signed portion.
1331
+ OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out,
1332
+ unsigned *out_len);
1333
+
1334
+ // X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result
1335
+ // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
1336
+ // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
1337
+ // of bytes written. This function returns one on success and zero on error.
1338
+ // Note this digest covers the entire CRL, not just the signed portion.
1339
+ OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md,
1340
+ uint8_t *out, unsigned *out_len);
1341
+
1342
+ // X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result
1343
+ // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
1344
+ // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
1345
+ // of bytes written. This function returns one on success and zero on error.
1346
+ // Note this digest covers the entire certificate request, not just the signed
1347
+ // portion.
1348
+ OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md,
1349
+ uint8_t *out, unsigned *out_len);
1350
+
1351
+ // X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result
1352
+ // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
1353
+ // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
1354
+ // of bytes written. This function returns one on success and zero on error.
1355
+ OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md,
1356
+ uint8_t *out, unsigned *out_len);
1357
+
1358
+ // The following functions behave like the corresponding unsuffixed |d2i_*|
1359
+ // functions, but read the result from |bp| instead. Callers using these
1360
+ // functions with memory |BIO|s to parse structures already in memory should use
1361
+ // |d2i_*| instead.
1362
+ OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509);
1363
+ OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);
1364
+ OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req);
1365
+ OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa);
1366
+ OPENSSL_EXPORT RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa);
1367
+ OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa);
1368
+ OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
1369
+ OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
1370
+ OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
1371
+ OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
1372
+ OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8);
1373
+ OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(
1374
+ BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf);
1375
+ OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
1376
+ OPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh);
1377
+
1378
+ // d2i_PrivateKey_bio behaves like |d2i_AutoPrivateKey|, but reads from |bp|
1379
+ // instead.
1380
+ OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
1381
+
1382
+ // The following functions behave like the corresponding unsuffixed |i2d_*|
1383
+ // functions, but write the result to |bp|. They return one on success and zero
1384
+ // on error. Callers using them with memory |BIO|s to encode structures to
1385
+ // memory should use |i2d_*| directly instead.
1386
+ OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509);
1387
+ OPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl);
1388
+ OPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req);
1389
+ OPENSSL_EXPORT int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa);
1390
+ OPENSSL_EXPORT int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa);
1391
+ OPENSSL_EXPORT int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa);
1392
+ OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
1393
+ OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
1394
+ OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
1395
+ OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
1396
+ OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8);
1397
+ OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
1398
+ PKCS8_PRIV_KEY_INFO *p8inf);
1399
+ OPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
1400
+ OPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
1401
+ OPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh);
1402
+
1403
+ // i2d_PKCS8PrivateKeyInfo_bio encodes |key| as a PKCS#8 PrivateKeyInfo
1404
+ // structure (see |EVP_marshal_private_key|) and writes the result to |bp|. It
1405
+ // returns one on success and zero on error.
1406
+ OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
1407
+
1408
+ // The following functions behave like the corresponding |d2i_*_bio| functions,
1409
+ // but read from |fp| instead.
1410
+ OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509);
1411
+ OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl);
1412
+ OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req);
1413
+ OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa);
1414
+ OPENSSL_EXPORT RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa);
1415
+ OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa);
1416
+ OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
1417
+ OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
1418
+ OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
1419
+ OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
1420
+ OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8);
1421
+ OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(
1422
+ FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf);
1423
+ OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
1424
+ OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
1425
+
1426
+ // The following functions behave like the corresponding |i2d_*_bio| functions,
1427
+ // but write to |fp| instead.
1428
+ OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509);
1429
+ OPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl);
1430
+ OPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req);
1431
+ OPENSSL_EXPORT int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa);
1432
+ OPENSSL_EXPORT int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa);
1433
+ OPENSSL_EXPORT int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa);
1434
+ OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
1435
+ OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
1436
+ OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
1437
+ OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
1438
+ OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8);
1439
+ OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
1440
+ PKCS8_PRIV_KEY_INFO *p8inf);
1441
+ OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
1442
+ OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
1443
+ OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
1444
+
1445
+ // X509_find_by_issuer_and_serial returns the first |X509| in |sk| whose issuer
1446
+ // and serial are |name| and |serial|, respectively. If no match is found, it
1447
+ // returns NULL.
1448
+ OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk,
1449
+ X509_NAME *name,
1450
+ const ASN1_INTEGER *serial);
1451
+
1452
+ // X509_find_by_subject returns the first |X509| in |sk| whose subject is
1453
+ // |name|. If no match is found, it returns NULL.
1454
+ OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk,
1455
+ X509_NAME *name);
1456
+
1457
+
1458
+ // ex_data functions.
1459
+ //
1460
+ // See |ex_data.h| for details.
1461
+
1462
+ OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp,
1463
+ CRYPTO_EX_unused *unused,
1464
+ CRYPTO_EX_dup *dup_unused,
1465
+ CRYPTO_EX_free *free_func);
1466
+ OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg);
1467
+ OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx);
1468
+
1469
+ OPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
1470
+ CRYPTO_EX_unused *unused,
1471
+ CRYPTO_EX_dup *dup_unused,
1472
+ CRYPTO_EX_free *free_func);
1473
+ OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx,
1474
+ void *data);
1475
+ OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx);
1476
+
1477
+
1478
+ // Deprecated functions.
1479
+
1480
+ // X509_get_notBefore returns |x509|'s notBefore time. Note this function is not
1481
+ // const-correct for legacy reasons. Use |X509_get0_notBefore| or
1482
+ // |X509_getm_notBefore| instead.
1483
+ OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509);
1484
+
1485
+ // X509_get_notAfter returns |x509|'s notAfter time. Note this function is not
1486
+ // const-correct for legacy reasons. Use |X509_get0_notAfter| or
1487
+ // |X509_getm_notAfter| instead.
1488
+ OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509);
1489
+
1490
+ // X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore|
1491
+ // instead.
1492
+ OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm);
1493
+
1494
+ // X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter|
1495
+ // instead.
1496
+ OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm);
1497
+
1498
+ // X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s thisUpdate time.
1499
+ // The OpenSSL API refers to this field as lastUpdate.
1500
+ //
1501
+ // Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead.
1502
+ OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl);
1503
+
1504
+ // X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time,
1505
+ // or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or
1506
+ // |X509_CRL_set1_nextUpdate| instead.
1507
+ OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl);
1508
+
1509
+ // X509_extract_key is a legacy alias to |X509_get_pubkey|. Use
1510
+ // |X509_get_pubkey| instead.
1511
+ #define X509_extract_key(x) X509_get_pubkey(x)
1512
+
1513
+ // X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|.
1514
+ #define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
1515
+
1516
+ // X509_name_cmp is a legacy alias for |X509_NAME_cmp|.
1517
+ #define X509_name_cmp(a, b) X509_NAME_cmp((a), (b))
1518
+
1519
+ // The following symbols are deprecated aliases to |X509_CRL_set1_*|.
1520
+ #define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate
1521
+ #define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate
1522
+
1523
+ // X509_get_serialNumber returns a mutable pointer to |x509|'s serial number.
1524
+ // Prefer |X509_get0_serialNumber|.
1525
+ OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509);
1526
+
1527
+ // X509_NAME_get_text_by_OBJ finds the first attribute with type |obj| in
1528
+ // |name|. If found, it ignores the value's ASN.1 type, writes the raw
1529
+ // |ASN1_STRING| representation to |buf|, followed by a NUL byte, and
1530
+ // returns the number of bytes in output, excluding the NUL byte.
1531
+ //
1532
+ // This function writes at most |len| bytes, including the NUL byte. If |len| is
1533
+ // not large enough, it silently truncates the output to fit. If |buf| is NULL,
1534
+ // it instead writes enough and returns the number of bytes in the output,
1535
+ // excluding the NUL byte.
1536
+ //
1537
+ // WARNING: Do not use this function. It does not return enough information for
1538
+ // the caller to correctly interpret its output. The attribute value may be of
1539
+ // any type, including one of several ASN.1 string encodings, but this function
1540
+ // only outputs the raw |ASN1_STRING| representation. See
1541
+ // https://crbug.com/boringssl/436.
1542
+ OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name,
1543
+ const ASN1_OBJECT *obj, char *buf,
1544
+ int len);
1545
+
1546
+ // X509_NAME_get_text_by_NID behaves like |X509_NAME_get_text_by_OBJ| except it
1547
+ // finds an attribute of type |nid|, which should be one of the |NID_*|
1548
+ // constants.
1549
+ OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid,
1550
+ char *buf, int len);
1551
+
1552
+
1553
+ // Private structures.
1554
+
1555
+ struct X509_algor_st {
1556
+ ASN1_OBJECT *algorithm;
1557
+ ASN1_TYPE *parameter;
1558
+ } /* X509_ALGOR */;
1559
+
96
1560
 
1561
+ // Functions below this point have not yet been organized into sections.
97
1562
 
98
1563
  #define X509_FILETYPE_PEM 1
99
1564
  #define X509_FILETYPE_ASN1 2
@@ -110,25 +1575,6 @@ extern "C" {
110
1575
  #define X509v3_KU_DECIPHER_ONLY 0x8000
111
1576
  #define X509v3_KU_UNDEF 0xffff
112
1577
 
113
- struct X509_algor_st {
114
- ASN1_OBJECT *algorithm;
115
- ASN1_TYPE *parameter;
116
- } /* X509_ALGOR */;
117
-
118
- DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
119
-
120
- DEFINE_STACK_OF(X509_ALGOR)
121
-
122
- typedef STACK_OF(X509_ALGOR) X509_ALGORS;
123
-
124
- DEFINE_STACK_OF(X509_NAME_ENTRY)
125
-
126
- DEFINE_STACK_OF(X509_NAME)
127
-
128
- typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
129
-
130
- DEFINE_STACK_OF(X509_EXTENSION)
131
-
132
1578
  DEFINE_STACK_OF(X509_ATTRIBUTE)
133
1579
 
134
1580
  // This stuff is certificate "auxiliary info"
@@ -139,8 +1585,6 @@ DEFINE_STACK_OF(X509_ATTRIBUTE)
139
1585
  DECLARE_STACK_OF(DIST_POINT)
140
1586
  DECLARE_STACK_OF(GENERAL_NAME)
141
1587
 
142
- DEFINE_STACK_OF(X509)
143
-
144
1588
  // This is used for a table of trust checking functions
145
1589
 
146
1590
  struct x509_trust_st {
@@ -199,7 +1643,8 @@ DEFINE_STACK_OF(X509_TRUST)
199
1643
  #define X509_FLAG_NO_ATTRIBUTES (1L << 11)
200
1644
  #define X509_FLAG_NO_IDS (1L << 12)
201
1645
 
202
- // Flags specific to X509_NAME_print_ex()
1646
+ // Flags specific to X509_NAME_print_ex(). These flags must not collide with
1647
+ // |ASN1_STRFLGS_*|.
203
1648
 
204
1649
  // The field separator information
205
1650
 
@@ -249,23 +1694,10 @@ DEFINE_STACK_OF(X509_TRUST)
249
1694
  (ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | \
250
1695
  XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN)
251
1696
 
252
- struct x509_revoked_st {
253
- ASN1_INTEGER *serialNumber;
254
- ASN1_TIME *revocationDate;
255
- STACK_OF(X509_EXTENSION) /* optional */ *extensions;
256
- // Set up if indirect CRL
257
- STACK_OF(GENERAL_NAME) *issuer;
258
- // Revocation reason
259
- int reason;
260
- int sequence; // load sequence
261
- };
262
-
263
1697
  DEFINE_STACK_OF(X509_REVOKED)
264
1698
 
265
1699
  DECLARE_STACK_OF(GENERAL_NAMES)
266
1700
 
267
- DEFINE_STACK_OF(X509_CRL)
268
-
269
1701
  struct private_key_st {
270
1702
  int version;
271
1703
  // The PKCS#8 data types
@@ -303,182 +1735,22 @@ DEFINE_STACK_OF(X509_INFO)
303
1735
  struct Netscape_spkac_st {
304
1736
  X509_PUBKEY *pubkey;
305
1737
  ASN1_IA5STRING *challenge; // challenge sent in atlas >= PR2
306
- } /* NETSCAPE_SPKAC */;
307
-
308
- struct Netscape_spki_st {
309
- NETSCAPE_SPKAC *spkac; // signed public key and challenge
310
- X509_ALGOR *sig_algor;
311
- ASN1_BIT_STRING *signature;
312
- } /* NETSCAPE_SPKI */;
313
-
314
- // TODO(davidben): Document remaining functions, reorganize them, and define
315
- // supported patterns for using |X509| objects in general. In particular, when
316
- // it is safe to call mutating functions is a little tricky due to various
317
- // internal caches.
318
-
319
- // X509_VERSION_* are X.509 version numbers. Note the numerical values of all
320
- // defined X.509 versions are one less than the named version.
321
- #define X509_VERSION_1 0
322
- #define X509_VERSION_2 1
323
- #define X509_VERSION_3 2
324
-
325
- // X509_get_version returns the numerical value of |x509|'s version. Callers may
326
- // compare the result to the |X509_VERSION_*| constants. Unknown versions are
327
- // rejected by the parser, but a manually-created |X509| object may encode
328
- // invalid versions. In that case, the function will return the invalid version,
329
- // or -1 on overflow.
330
- OPENSSL_EXPORT long X509_get_version(const X509 *x509);
331
-
332
- // X509_set_version sets |x509|'s version to |version|, which should be one of
333
- // the |X509V_VERSION_*| constants. It returns one on success and zero on error.
334
- //
335
- // If unsure, use |X509_VERSION_3|.
336
- OPENSSL_EXPORT int X509_set_version(X509 *x509, long version);
337
-
338
- // X509_get0_serialNumber returns |x509|'s serial number.
339
- OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509);
340
-
341
- // X509_set_serialNumber sets |x509|'s serial number to |serial|. It returns one
342
- // on success and zero on error.
343
- OPENSSL_EXPORT int X509_set_serialNumber(X509 *x509,
344
- const ASN1_INTEGER *serial);
345
-
346
- // X509_get0_notBefore returns |x509|'s notBefore time.
347
- OPENSSL_EXPORT const ASN1_TIME *X509_get0_notBefore(const X509 *x509);
348
-
349
- // X509_get0_notAfter returns |x509|'s notAfter time.
350
- OPENSSL_EXPORT const ASN1_TIME *X509_get0_notAfter(const X509 *x509);
351
-
352
- // X509_set1_notBefore sets |x509|'s notBefore time to |tm|. It returns one on
353
- // success and zero on error.
354
- OPENSSL_EXPORT int X509_set1_notBefore(X509 *x509, const ASN1_TIME *tm);
355
-
356
- // X509_set1_notAfter sets |x509|'s notAfter time to |tm|. it returns one on
357
- // success and zero on error.
358
- OPENSSL_EXPORT int X509_set1_notAfter(X509 *x509, const ASN1_TIME *tm);
359
-
360
- // X509_getm_notBefore returns a mutable pointer to |x509|'s notBefore time.
361
- OPENSSL_EXPORT ASN1_TIME *X509_getm_notBefore(X509 *x509);
362
-
363
- // X509_getm_notAfter returns a mutable pointer to |x509|'s notAfter time.
364
- OPENSSL_EXPORT ASN1_TIME *X509_getm_notAfter(X509 *x);
365
-
366
- // X509_get_notBefore returns |x509|'s notBefore time. Note this function is not
367
- // const-correct for legacy reasons. Use |X509_get0_notBefore| or
368
- // |X509_getm_notBefore| instead.
369
- OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509);
370
-
371
- // X509_get_notAfter returns |x509|'s notAfter time. Note this function is not
372
- // const-correct for legacy reasons. Use |X509_get0_notAfter| or
373
- // |X509_getm_notAfter| instead.
374
- OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509);
375
-
376
- // X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore|
377
- // instead.
378
- OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm);
379
-
380
- // X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter|
381
- // instead.
382
- OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm);
383
-
384
- // X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the
385
- // issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly
386
- // outputs |x509|'s subjectUID field to |*out_subject_uid|.
387
- //
388
- // Callers may pass NULL to either |out_issuer_uid| or |out_subject_uid| to
389
- // ignore the corresponding field.
390
- OPENSSL_EXPORT void X509_get0_uids(const X509 *x509,
391
- const ASN1_BIT_STRING **out_issuer_uid,
392
- const ASN1_BIT_STRING **out_subject_uid);
393
-
394
- // X509_extract_key is a legacy alias to |X509_get_pubkey|. Use
395
- // |X509_get_pubkey| instead.
396
- #define X509_extract_key(x) X509_get_pubkey(x)
397
-
398
- // X509_get_pathlen returns path length constraint from the basic constraints
399
- // extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the
400
- // constraint is not present, or if some extension in |x509| was invalid.
401
- //
402
- // Note that decoding an |X509| object will not check for invalid extensions. To
403
- // detect the error case, call |X509_get_extensions_flags| and check the
404
- // |EXFLAG_INVALID| bit.
405
- OPENSSL_EXPORT long X509_get_pathlen(X509 *x509);
406
-
407
- // X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. Note no
408
- // other versions are defined.
409
- #define X509_REQ_VERSION_1 0
410
-
411
- // X509_REQ_get_version returns the numerical value of |req|'s version. This
412
- // will be |X509_REQ_VERSION_1| for valid certificate requests. If |req| is
413
- // invalid, it may return another value, or -1 on overflow.
414
- //
415
- // TODO(davidben): Enforce the version number in the parser.
416
- OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req);
417
-
418
- // X509_REQ_get_subject_name returns |req|'s subject name. Note this function is
419
- // not const-correct for legacy reasons.
420
- OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
421
-
422
- // X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|.
423
- #define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
424
-
425
- // X509_name_cmp is a legacy alias for |X509_NAME_cmp|.
426
- #define X509_name_cmp(a, b) X509_NAME_cmp((a), (b))
427
-
428
- #define X509_CRL_VERSION_1 0
429
- #define X509_CRL_VERSION_2 1
430
-
431
- // X509_CRL_get_version returns the numerical value of |crl|'s version. Callers
432
- // may compare the result to |X509_CRL_VERSION_*| constants. If |crl| is
433
- // invalid, it may return another value, or -1 on overflow.
434
- //
435
- // TODO(davidben): Enforce the version number in the parser.
436
- OPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl);
437
-
438
- // X509_CRL_get0_lastUpdate returns |crl|'s lastUpdate time.
439
- OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
440
-
441
- // X509_CRL_get0_nextUpdate returns |crl|'s nextUpdate time, or NULL if |crl|
442
- // has none.
443
- OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
444
-
445
- // X509_CRL_set1_lastUpdate sets |crl|'s lastUpdate time to |tm|. It returns one
446
- // on success and zero on error.
447
- OPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm);
448
-
449
- // X509_CRL_set1_nextUpdate sets |crl|'s nextUpdate time to |tm|. It returns one
450
- // on success and zero on error.
451
- OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm);
452
-
453
- // The following symbols are deprecated aliases to |X509_CRL_set1_*|.
454
- #define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate
455
- #define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate
456
-
457
- // X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s lastUpdate time.
458
- // Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead.
459
- OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl);
460
-
461
- // X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time,
462
- // or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or
463
- // |X509_CRL_set1_nextUpdate| instead.
464
- OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl);
1738
+ } /* NETSCAPE_SPKAC */;
465
1739
 
466
- // X509_CRL_get_issuer returns |crl|'s issuer name. Note this function is not
467
- // const-correct for legacy reasons.
468
- OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
1740
+ struct Netscape_spki_st {
1741
+ NETSCAPE_SPKAC *spkac; // signed public key and challenge
1742
+ X509_ALGOR *sig_algor;
1743
+ ASN1_BIT_STRING *signature;
1744
+ } /* NETSCAPE_SPKI */;
469
1745
 
470
- // X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or
471
- // NULL if |crl| omits it.
1746
+ // X509_get_pathlen returns path length constraint from the basic constraints
1747
+ // extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the
1748
+ // constraint is not present, or if some extension in |x509| was invalid.
472
1749
  //
473
- // TOOD(davidben): This function was originally a macro, without clear const
474
- // semantics. It should take a const input and give const output, but the latter
475
- // would break existing callers. For now, we match upstream.
476
- OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
477
-
478
- // X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl|
479
- // omits it.
480
- OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(
481
- const X509_CRL *crl);
1750
+ // Note that decoding an |X509| object will not check for invalid extensions. To
1751
+ // detect the error case, call |X509_get_extensions_flags| and check the
1752
+ // |EXFLAG_INVALID| bit.
1753
+ OPENSSL_EXPORT long X509_get_pathlen(X509 *x509);
482
1754
 
483
1755
  // X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to
484
1756
  // |sig|'s algorithm and digest fields, respectively. Either |out_alg| and
@@ -491,22 +1763,6 @@ OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig,
491
1763
  OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg,
492
1764
  ASN1_OCTET_STRING **out_digest);
493
1765
 
494
- OPENSSL_EXPORT void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
495
- OPENSSL_EXPORT X509_CRL_METHOD *X509_CRL_METHOD_new(
496
- int (*crl_init)(X509_CRL *crl), int (*crl_free)(X509_CRL *crl),
497
- int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *ser,
498
- X509_NAME *issuer),
499
- int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk));
500
- OPENSSL_EXPORT void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
501
-
502
- OPENSSL_EXPORT void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
503
- OPENSSL_EXPORT void *X509_CRL_get_meth_data(X509_CRL *crl);
504
-
505
- // X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is
506
- // not const-correct for legacy reasons. Callers should not modify the returned
507
- // object.
508
- OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509);
509
-
510
1766
  // X509_verify_cert_error_string returns |err| as a human-readable string, where
511
1767
  // |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns
512
1768
  // a default description.
@@ -545,255 +1801,32 @@ OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str,
545
1801
  OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki);
546
1802
 
547
1803
  // NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an
548
- // |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting
549
- // pointer and must call |EVP_PKEY_free| when done.
550
- OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki);
551
-
552
- // NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one
553
- // on success or zero on error. This function does not take ownership of |pkey|,
554
- // so the caller may continue to manage its lifetime independently of |spki|.
555
- OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki,
556
- EVP_PKEY *pkey);
557
-
558
- // X509_signature_dump writes a human-readable representation of |sig| to |bio|,
559
- // indented with |indent| spaces. It returns one on success and zero on error.
560
- OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig,
561
- int indent);
562
-
563
- // X509_signature_print writes a human-readable representation of |alg| and
564
- // |sig| to |bio|. It returns one on success and zero on error.
565
- OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg,
566
- const ASN1_STRING *sig);
567
-
568
- // X509_sign signs |x509| with |pkey| and replaces the signature algorithm and
569
- // signature fields. It returns one on success and zero on error. This function
570
- // uses digest algorithm |md|, or |pkey|'s default if NULL. Other signing
571
- // parameters use |pkey|'s defaults. To customize them, use |X509_sign_ctx|.
572
- OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md);
573
-
574
- // X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm
575
- // and signature fields. It returns one on success and zero on error. The
576
- // signature algorithm and parameters come from |ctx|, which must have been
577
- // initialized with |EVP_DigestSignInit|. The caller should configure the
578
- // corresponding |EVP_PKEY_CTX| before calling this function.
579
- OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx);
580
-
581
- // X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm
582
- // and signature fields. It returns one on success and zero on error. This
583
- // function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
584
- // signing parameters use |pkey|'s defaults. To customize them, use
585
- // |X509_REQ_sign_ctx|.
586
- OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey,
587
- const EVP_MD *md);
588
-
589
- // X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm
590
- // and signature fields. It returns one on success and zero on error. The
591
- // signature algorithm and parameters come from |ctx|, which must have been
592
- // initialized with |EVP_DigestSignInit|. The caller should configure the
593
- // corresponding |EVP_PKEY_CTX| before calling this function.
594
- OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx);
595
-
596
- // X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm
597
- // and signature fields. It returns one on success and zero on error. This
598
- // function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
599
- // signing parameters use |pkey|'s defaults. To customize them, use
600
- // |X509_CRL_sign_ctx|.
601
- OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey,
602
- const EVP_MD *md);
603
-
604
- // X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm
605
- // and signature fields. It returns one on success and zero on error. The
606
- // signature algorithm and parameters come from |ctx|, which must have been
607
- // initialized with |EVP_DigestSignInit|. The caller should configure the
608
- // corresponding |EVP_PKEY_CTX| before calling this function.
609
- OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx);
610
-
611
- // NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature
612
- // algorithm and signature fields. It returns one on success and zero on error.
613
- // This function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
614
- // signing parameters use |pkey|'s defaults.
615
- OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey,
616
- const EVP_MD *md);
617
-
618
- // X509_pubkey_digest hashes the DER encoding of |x509|'s subjectPublicKeyInfo
619
- // field with |md| and writes the result to |out|. |EVP_MD_CTX_size| bytes are
620
- // written, which is at most |EVP_MAX_MD_SIZE|. If |out_len| is not NULL,
621
- // |*out_len| is set to the number of bytes written. This function returns one
622
- // on success and zero on error.
623
- OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md,
624
- uint8_t *out, unsigned *out_len);
625
-
626
- // X509_digest hashes |x509|'s DER encoding with |md| and writes the result to
627
- // |out|. |EVP_MD_CTX_size| bytes are written, which is at most
628
- // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
629
- // of bytes written. This function returns one on success and zero on error.
630
- // Note this digest covers the entire certificate, not just the signed portion.
631
- OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out,
632
- unsigned *out_len);
633
-
634
- // X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result
635
- // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
636
- // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
637
- // of bytes written. This function returns one on success and zero on error.
638
- // Note this digest covers the entire CRL, not just the signed portion.
639
- OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md,
640
- uint8_t *out, unsigned *out_len);
641
-
642
- // X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result
643
- // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
644
- // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
645
- // of bytes written. This function returns one on success and zero on error.
646
- // Note this digest covers the entire certificate request, not just the signed
647
- // portion.
648
- OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md,
649
- uint8_t *out, unsigned *out_len);
650
-
651
- // X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result
652
- // to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
653
- // |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
654
- // of bytes written. This function returns one on success and zero on error.
655
- OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md,
656
- uint8_t *out, unsigned *out_len);
657
-
658
- // X509_parse_from_buffer parses an X.509 structure from |buf| and returns a
659
- // fresh X509 or NULL on error. There must not be any trailing data in |buf|.
660
- // The returned structure (if any) holds a reference to |buf| rather than
661
- // copying parts of it as a normal |d2i_X509| call would do.
662
- OPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf);
663
-
664
- OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509);
665
- OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509);
666
- OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl);
667
- OPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl);
668
- OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req);
669
- OPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req);
670
- OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa);
671
- OPENSSL_EXPORT int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa);
672
- OPENSSL_EXPORT RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa);
673
- OPENSSL_EXPORT int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa);
674
- OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa);
675
- OPENSSL_EXPORT int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa);
676
- #ifndef OPENSSL_NO_DSA
677
- OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
678
- OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
679
- OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
680
- OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
681
- #endif
682
- OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
683
- OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
684
- OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
685
- OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
686
- OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8);
687
- OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8);
688
- OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(
689
- FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf);
690
- OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
691
- PKCS8_PRIV_KEY_INFO *p8inf);
692
- OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
693
- OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
694
- OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
695
- OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
696
- OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
697
-
698
- OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509);
699
- OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509);
700
- OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);
701
- OPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl);
702
- OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req);
703
- OPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req);
704
- OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa);
705
- OPENSSL_EXPORT int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa);
706
- OPENSSL_EXPORT RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa);
707
- OPENSSL_EXPORT int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa);
708
- OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa);
709
- OPENSSL_EXPORT int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa);
710
- #ifndef OPENSSL_NO_DSA
711
- OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
712
- OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
713
- OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
714
- OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
715
- #endif
716
- OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
717
- OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
718
- OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
719
- OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
720
- OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8);
721
- OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8);
722
- OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(
723
- BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf);
724
- OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
725
- PKCS8_PRIV_KEY_INFO *p8inf);
726
- OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
727
- OPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
728
- OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
729
- OPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
730
- OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
731
- OPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh);
732
- OPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh);
733
-
734
- OPENSSL_EXPORT X509 *X509_dup(X509 *x509);
735
- OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa);
736
- OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex);
737
- OPENSSL_EXPORT X509_CRL *X509_CRL_dup(X509_CRL *crl);
738
- OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *rev);
739
- OPENSSL_EXPORT X509_REQ *X509_REQ_dup(X509_REQ *req);
740
- OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
741
-
742
- // X509_ALGOR_set0 sets |alg| to an AlgorithmIdentifier with algorithm |obj| and
743
- // parameter determined by |param_type| and |param_value|. It returns one on
744
- // success and zero on error. This function takes ownership of |obj| and
745
- // |param_value| on success.
746
- //
747
- // If |param_type| is |V_ASN1_UNDEF|, the parameter is omitted. If |param_type|
748
- // is zero, the parameter is left unchanged. Otherwise, |param_type| and
749
- // |param_value| are interpreted as in |ASN1_TYPE_set|.
750
- //
751
- // Note omitting the parameter (|V_ASN1_UNDEF|) and encoding an explicit NULL
752
- // value (|V_ASN1_NULL|) are different. Some algorithms require one and some the
753
- // other. Consult the relevant specification before calling this function. The
754
- // correct parameter for an RSASSA-PKCS1-v1_5 signature is |V_ASN1_NULL|. The
755
- // correct one for an ECDSA or Ed25519 signature is |V_ASN1_UNDEF|.
756
- OPENSSL_EXPORT int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *obj,
757
- int param_type, void *param_value);
758
-
759
- // X509_ALGOR_get0 sets |*out_obj| to the |alg|'s algorithm. If |alg|'s
760
- // parameter is omitted, it sets |*out_param_type| and |*out_param_value| to
761
- // |V_ASN1_UNDEF| and NULL. Otherwise, it sets |*out_param_type| and
762
- // |*out_param_value| to the parameter, using the same representation as
763
- // |ASN1_TYPE_set0|. See |ASN1_TYPE_set0| and |ASN1_TYPE| for details.
764
- //
765
- // Callers that require the parameter in serialized form should, after checking
766
- // for |V_ASN1_UNDEF|, use |ASN1_TYPE_set1| and |d2i_ASN1_TYPE|, rather than
767
- // inspecting |*out_param_value|.
768
- //
769
- // Each of |out_obj|, |out_param_type|, and |out_param_value| may be NULL to
770
- // ignore the output. If |out_param_type| is NULL, |out_param_value| is ignored.
771
- //
772
- // WARNING: If |*out_param_type| is set to |V_ASN1_UNDEF|, OpenSSL and older
773
- // revisions of BoringSSL leave |*out_param_value| unset rather than setting it
774
- // to NULL. Callers that support both OpenSSL and BoringSSL should not assume
775
- // |*out_param_value| is uniformly initialized.
776
- OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj,
777
- int *out_param_type,
778
- const void **out_param_value,
779
- const X509_ALGOR *alg);
1804
+ // |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting
1805
+ // pointer and must call |EVP_PKEY_free| when done.
1806
+ OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki);
780
1807
 
781
- // X509_ALGOR_set_md sets |alg| to the hash function |md|. Note this
782
- // AlgorithmIdentifier represents the hash function itself, not a signature
783
- // algorithm that uses |md|.
784
- OPENSSL_EXPORT void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
1808
+ // NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one
1809
+ // on success or zero on error. This function does not take ownership of |pkey|,
1810
+ // so the caller may continue to manage its lifetime independently of |spki|.
1811
+ OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki,
1812
+ EVP_PKEY *pkey);
785
1813
 
786
- // X509_ALGOR_cmp returns zero if |a| and |b| are equal, and some non-zero value
787
- // otherwise. Note this function can only be used for equality checks, not an
788
- // ordering.
789
- OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
1814
+ // NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature
1815
+ // algorithm and signature fields. It returns one on success and zero on error.
1816
+ // This function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
1817
+ // signing parameters use |pkey|'s defaults.
1818
+ OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey,
1819
+ const EVP_MD *md);
790
1820
 
791
- OPENSSL_EXPORT X509_NAME *X509_NAME_dup(X509_NAME *xn);
792
- OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
793
- OPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne);
1821
+ // X509_ATTRIBUTE_dup returns a newly-allocated copy of |xa|, or NULL on error.
1822
+ // This function works by serializing the structure, so if |xa| is incomplete,
1823
+ // it may fail.
1824
+ OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(const X509_ATTRIBUTE *xa);
794
1825
 
795
- OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
796
- size_t *pderlen);
1826
+ // X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error.
1827
+ // This function works by serializing the structure, so if |rev| is incomplete,
1828
+ // it may fail.
1829
+ OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev);
797
1830
 
798
1831
  // X509_cmp_time compares |s| against |*t|. On success, it returns a negative
799
1832
  // number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it
@@ -803,6 +1836,14 @@ OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
803
1836
  // error, not equality.
804
1837
  OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t);
805
1838
 
1839
+ // X509_cmp_time_posix compares |s| against |t|. On success, it returns a
1840
+ // negative number if |s| <= |t| and a positive number if |s| > |t|. On error,
1841
+ // it returns zero.
1842
+ //
1843
+ // WARNING: Unlike most comparison functions, this function returns zero on
1844
+ // error, not equality.
1845
+ OPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t);
1846
+
806
1847
  // X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against
807
1848
  // the current time.
808
1849
  OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s);
@@ -827,12 +1868,7 @@ OPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void);
827
1868
  OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void);
828
1869
  OPENSSL_EXPORT const char *X509_get_default_private_dir(void);
829
1870
 
830
- OPENSSL_EXPORT X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey,
831
- const EVP_MD *md);
832
-
833
- DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS)
834
-
835
- DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
1871
+ DECLARE_ASN1_FUNCTIONS_const(X509_PUBKEY)
836
1872
 
837
1873
  // X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY|
838
1874
  // structure. On success, it frees |*x|, sets |*x| to the new object, and
@@ -845,10 +1881,9 @@ OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
845
1881
  // not mutate the result.
846
1882
  OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key);
847
1883
 
848
- DECLARE_ASN1_FUNCTIONS(X509_SIG)
849
- DECLARE_ASN1_FUNCTIONS(X509_REQ)
1884
+ DECLARE_ASN1_FUNCTIONS_const(X509_SIG)
850
1885
 
851
- DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
1886
+ DECLARE_ASN1_FUNCTIONS_const(X509_ATTRIBUTE)
852
1887
 
853
1888
  // X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on
854
1889
  // error. The attribute has type |nid| and contains a single value determined by
@@ -857,99 +1892,15 @@ DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
857
1892
  OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype,
858
1893
  void *value);
859
1894
 
860
- DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
861
- DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS)
862
-
863
- DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
864
-
865
- DECLARE_ASN1_FUNCTIONS(X509_NAME)
866
-
867
- // X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn|
868
- // to the copy, and returns one. Otherwise, it returns zero.
869
- OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name);
870
-
871
- DECLARE_ASN1_FUNCTIONS(X509)
872
- DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
873
-
874
- // X509_up_ref adds one to the reference count of |x509| and returns one.
875
- OPENSSL_EXPORT int X509_up_ref(X509 *x509);
876
-
877
- OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp,
878
- CRYPTO_EX_unused *unused,
879
- CRYPTO_EX_dup *dup_unused,
880
- CRYPTO_EX_free *free_func);
881
- OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg);
882
- OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx);
883
- OPENSSL_EXPORT int i2d_X509_AUX(X509 *a, unsigned char **pp);
884
- OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp,
885
- long length);
886
-
887
- // i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described
888
- // in |i2d_SAMPLE|.
889
- //
890
- // This function re-encodes the TBSCertificate and may not reflect |x509|'s
891
- // original encoding. It may be used to manually generate a signature for a new
892
- // certificate. To verify certificates, use |i2d_X509_tbs| instead.
893
- OPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, unsigned char **outp);
894
-
895
- // i2d_X509_tbs serializes the TBSCertificate portion of |x509|, as described in
896
- // |i2d_SAMPLE|.
897
- //
898
- // This function preserves the original encoding of the TBSCertificate and may
899
- // not reflect modifications made to |x509|. It may be used to manually verify
900
- // the signature of an existing certificate. To generate certificates, use
901
- // |i2d_re_X509_tbs| instead.
902
- OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp);
903
-
904
- // X509_set1_signature_algo sets |x509|'s signature algorithm to |algo| and
905
- // returns one on success or zero on error. It updates both the signature field
906
- // of the TBSCertificate structure, and the signatureAlgorithm field of the
907
- // Certificate.
908
- OPENSSL_EXPORT int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo);
909
-
910
- // X509_set1_signature_value sets |x509|'s signature to a copy of the |sig_len|
911
- // bytes pointed by |sig|. It returns one on success and zero on error.
912
- //
913
- // Due to a specification error, X.509 certificates store signatures in ASN.1
914
- // BIT STRINGs, but signature algorithms return byte strings rather than bit
915
- // strings. This function creates a BIT STRING containing a whole number of
916
- // bytes, with the bit order matching the DER encoding. This matches the
917
- // encoding used by all X.509 signature algorithms.
918
- OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig,
919
- size_t sig_len);
920
-
921
- // X509_get0_signature sets |*out_sig| and |*out_alg| to the signature and
922
- // signature algorithm of |x509|, respectively. Either output pointer may be
923
- // NULL to ignore the value.
924
- //
925
- // This function outputs the outer signature algorithm. For the one in the
926
- // TBSCertificate, see |X509_get0_tbs_sigalg|. Certificates with mismatched
927
- // signature algorithms will successfully parse, but they will be rejected when
928
- // verifying.
929
- OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig,
930
- const X509_ALGOR **out_alg,
931
- const X509 *x509);
932
-
933
- // X509_get_signature_nid returns the NID corresponding to |x509|'s signature
934
- // algorithm, or |NID_undef| if the signature algorithm does not correspond to
935
- // a known NID.
936
- OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509);
937
-
938
- OPENSSL_EXPORT int X509_alias_set1(X509 *x, const unsigned char *name, int len);
939
- OPENSSL_EXPORT int X509_keyid_set1(X509 *x, const unsigned char *id, int len);
940
- OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x, int *len);
941
- OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x, int *len);
942
- OPENSSL_EXPORT int (*X509_TRUST_set_default(int (*trust)(int, X509 *,
943
- int)))(int, X509 *,
944
- int);
945
- OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust);
946
1895
  OPENSSL_EXPORT int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
947
1896
  OPENSSL_EXPORT int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
948
1897
  OPENSSL_EXPORT void X509_trust_clear(X509 *x);
949
1898
  OPENSSL_EXPORT void X509_reject_clear(X509 *x);
950
1899
 
951
- DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
952
- DECLARE_ASN1_FUNCTIONS(X509_CRL)
1900
+
1901
+ OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust);
1902
+
1903
+ DECLARE_ASN1_FUNCTIONS_const(X509_REVOKED)
953
1904
 
954
1905
  OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
955
1906
  OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret,
@@ -960,8 +1911,8 @@ OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret,
960
1911
  OPENSSL_EXPORT X509_PKEY *X509_PKEY_new(void);
961
1912
  OPENSSL_EXPORT void X509_PKEY_free(X509_PKEY *a);
962
1913
 
963
- DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI)
964
- DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
1914
+ DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_SPKI)
1915
+ DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_SPKAC)
965
1916
 
966
1917
  OPENSSL_EXPORT X509_INFO *X509_INFO_new(void);
967
1918
  OPENSSL_EXPORT void X509_INFO_free(X509_INFO *a);
@@ -988,96 +1939,6 @@ OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,
988
1939
  ASN1_BIT_STRING *signature, void *asn,
989
1940
  EVP_MD_CTX *ctx);
990
1941
 
991
- // X509_get_serialNumber returns a mutable pointer to |x509|'s serial number.
992
- // Prefer |X509_get0_serialNumber|.
993
- OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509);
994
-
995
- // X509_set_issuer_name sets |x509|'s issuer to a copy of |name|. It returns one
996
- // on success and zero on error.
997
- OPENSSL_EXPORT int X509_set_issuer_name(X509 *x509, X509_NAME *name);
998
-
999
- // X509_get_issuer_name returns |x509|'s issuer.
1000
- OPENSSL_EXPORT X509_NAME *X509_get_issuer_name(const X509 *x509);
1001
-
1002
- // X509_set_subject_name sets |x509|'s subject to a copy of |name|. It returns
1003
- // one on success and zero on error.
1004
- OPENSSL_EXPORT int X509_set_subject_name(X509 *x509, X509_NAME *name);
1005
-
1006
- // X509_get_issuer_name returns |x509|'s subject.
1007
- OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509);
1008
-
1009
- // X509_set_pubkey sets |x509|'s public key to |pkey|. It returns one on success
1010
- // and zero on error. This function does not take ownership of |pkey| and
1011
- // internally copies and updates reference counts as needed.
1012
- OPENSSL_EXPORT int X509_set_pubkey(X509 *x509, EVP_PKEY *pkey);
1013
-
1014
- // X509_get_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the
1015
- // public key was unsupported or could not be decoded. This function returns a
1016
- // reference to the |EVP_PKEY|. The caller must release the result with
1017
- // |EVP_PKEY_free| when done.
1018
- OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x509);
1019
-
1020
- // X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public
1021
- // key. Note this does not contain the AlgorithmIdentifier portion.
1022
- //
1023
- // WARNING: This function returns a non-const pointer for OpenSSL compatibility,
1024
- // but the caller must not modify the resulting object. Doing so will break
1025
- // internal invariants in |x509|.
1026
- OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509);
1027
-
1028
- // X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits
1029
- // it.
1030
- OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions(
1031
- const X509 *x509);
1032
-
1033
- // X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s
1034
- // TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|.
1035
- //
1036
- // Certificates with mismatched signature algorithms will successfully parse,
1037
- // but they will be rejected when verifying.
1038
- OPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x509);
1039
-
1040
- // X509_REQ_set_version sets |req|'s version to |version|, which should be
1041
- // |X509_REQ_VERSION_1|. It returns one on success and zero on error.
1042
- //
1043
- // Note no versions other than |X509_REQ_VERSION_1| are defined for CSRs.
1044
- OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version);
1045
-
1046
- // X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It
1047
- // returns one on success and zero on error.
1048
- OPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
1049
-
1050
- // X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and
1051
- // signature algorithm of |req|, respectively. Either output pointer may be NULL
1052
- // to ignore the value.
1053
- OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req,
1054
- const ASN1_BIT_STRING **out_sig,
1055
- const X509_ALGOR **out_alg);
1056
-
1057
- // X509_REQ_get_signature_nid returns the NID corresponding to |req|'s signature
1058
- // algorithm, or |NID_undef| if the signature algorithm does not correspond to
1059
- // a known NID.
1060
- OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req);
1061
-
1062
- // i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986)
1063
- // portion of |req|, as described in |i2d_SAMPLE|.
1064
- //
1065
- // This function re-encodes the CertificationRequestInfo and may not reflect
1066
- // |req|'s original encoding. It may be used to manually generate a signature
1067
- // for a new certificate request.
1068
- OPENSSL_EXPORT int i2d_re_X509_REQ_tbs(X509_REQ *req, uint8_t **outp);
1069
-
1070
- // X509_REQ_set_pubkey sets |req|'s public key to |pkey|. It returns one on
1071
- // success and zero on error. This function does not take ownership of |pkey|
1072
- // and internally copies and updates reference counts as needed.
1073
- OPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey);
1074
-
1075
- // X509_REQ_get_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if
1076
- // the public key was unsupported or could not be decoded. This function returns
1077
- // a reference to the |EVP_PKEY|. The caller must release the result with
1078
- // |EVP_PKEY_free| when done.
1079
- OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
1080
-
1081
1942
  // X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type
1082
1943
  // for carrying extensions and zero otherwise. The supported types are
1083
1944
  // |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req|
@@ -1143,96 +2004,29 @@ OPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
1143
2004
  // It returns one on success and zero on error. The value is determined by
1144
2005
  // |X509_ATTRIBUTE_set1_data|.
1145
2006
  //
1146
- // WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and
1147
- // error-prone. See |X509_ATTRIBUTE_set1_data| for details.
1148
- OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
1149
- const ASN1_OBJECT *obj,
1150
- int attrtype,
1151
- const unsigned char *data,
1152
- int len);
1153
-
1154
- // X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the
1155
- // attribute type is determined by |nid|.
1156
- OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid,
1157
- int attrtype,
1158
- const unsigned char *data,
1159
- int len);
1160
-
1161
- // X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the
1162
- // attribute type is determined by calling |OBJ_txt2obj| with |attrname|.
1163
- OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req,
1164
- const char *attrname, int attrtype,
1165
- const unsigned char *data,
1166
- int len);
1167
-
1168
- // X509_CRL_set_version sets |crl|'s version to |version|, which should be one
1169
- // of the |X509_CRL_VERSION_*| constants. It returns one on success and zero on
1170
- // error.
1171
- //
1172
- // If unsure, use |X509_CRL_VERSION_2|. Note that, unlike certificates, CRL
1173
- // versions are only defined up to v2. Callers should not use |X509_VERSION_3|.
1174
- OPENSSL_EXPORT int X509_CRL_set_version(X509_CRL *crl, long version);
1175
-
1176
- // X509_CRL_set_issuer_name sets |crl|'s issuer to a copy of |name|. It returns
1177
- // one on success and zero on error.
1178
- OPENSSL_EXPORT int X509_CRL_set_issuer_name(X509_CRL *crl, X509_NAME *name);
1179
-
1180
- OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl);
1181
-
1182
- // X509_CRL_up_ref adds one to the reference count of |crl| and returns one.
1183
- OPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl);
1184
-
1185
- // X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and
1186
- // signature algorithm of |crl|, respectively. Either output pointer may be NULL
1187
- // to ignore the value.
1188
- //
1189
- // This function outputs the outer signature algorithm, not the one in the
1190
- // TBSCertList. CRLs with mismatched signature algorithms will successfully
1191
- // parse, but they will be rejected when verifying.
1192
- OPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl,
1193
- const ASN1_BIT_STRING **out_sig,
1194
- const X509_ALGOR **out_alg);
1195
-
1196
- // X509_CRL_get_signature_nid returns the NID corresponding to |crl|'s signature
1197
- // algorithm, or |NID_undef| if the signature algorithm does not correspond to
1198
- // a known NID.
1199
- OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl);
1200
-
1201
- // i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described
1202
- // in |i2d_SAMPLE|.
1203
- //
1204
- // This function re-encodes the TBSCertList and may not reflect |crl|'s original
1205
- // encoding. It may be used to manually generate a signature for a new CRL. To
1206
- // verify CRLs, use |i2d_X509_CRL_tbs| instead.
1207
- OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
1208
-
1209
- // i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described in
1210
- // |i2d_SAMPLE|.
1211
- //
1212
- // This function preserves the original encoding of the TBSCertList and may not
1213
- // reflect modifications made to |crl|. It may be used to manually verify the
1214
- // signature of an existing CRL. To generate CRLs, use |i2d_re_X509_CRL_tbs|
1215
- // instead.
1216
- OPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
2007
+ // WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and
2008
+ // error-prone. See |X509_ATTRIBUTE_set1_data| for details.
2009
+ OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
2010
+ const ASN1_OBJECT *obj,
2011
+ int attrtype,
2012
+ const unsigned char *data,
2013
+ int len);
1217
2014
 
1218
- // X509_CRL_set1_signature_algo sets |crl|'s signature algorithm to |algo| and
1219
- // returns one on success or zero on error. It updates both the signature field
1220
- // of the TBSCertList structure, and the signatureAlgorithm field of the CRL.
1221
- OPENSSL_EXPORT int X509_CRL_set1_signature_algo(X509_CRL *crl,
1222
- const X509_ALGOR *algo);
2015
+ // X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the
2016
+ // attribute type is determined by |nid|.
2017
+ OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid,
2018
+ int attrtype,
2019
+ const unsigned char *data,
2020
+ int len);
1223
2021
 
1224
- // X509_CRL_set1_signature_value sets |crl|'s signature to a copy of the
1225
- // |sig_len| bytes pointed by |sig|. It returns one on success and zero on
1226
- // error.
1227
- //
1228
- // Due to a specification error, X.509 CRLs store signatures in ASN.1 BIT
1229
- // STRINGs, but signature algorithms return byte strings rather than bit
1230
- // strings. This function creates a BIT STRING containing a whole number of
1231
- // bytes, with the bit order matching the DER encoding. This matches the
1232
- // encoding used by all X.509 signature algorithms.
1233
- OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl,
1234
- const uint8_t *sig,
1235
- size_t sig_len);
2022
+ // X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the
2023
+ // attribute type is determined by calling |OBJ_txt2obj| with |attrname|.
2024
+ OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req,
2025
+ const char *attrname, int attrtype,
2026
+ const unsigned char *data,
2027
+ int len);
2028
+
2029
+ OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl);
1236
2030
 
1237
2031
  // X509_REVOKED_get0_serialNumber returns the serial number of the certificate
1238
2032
  // revoked by |revoked|.
@@ -1266,19 +2060,6 @@ OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
1266
2060
  OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey);
1267
2061
 
1268
2062
  OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey);
1269
- OPENSSL_EXPORT int X509_chain_check_suiteb(int *perror_depth, X509 *x,
1270
- STACK_OF(X509) *chain,
1271
- unsigned long flags);
1272
- OPENSSL_EXPORT int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk,
1273
- unsigned long flags);
1274
-
1275
- // X509_chain_up_ref returns a newly-allocated |STACK_OF(X509)| containing a
1276
- // shallow copy of |chain|, or NULL on error. That is, the return value has the
1277
- // same contents as |chain|, and each |X509|'s reference count is incremented by
1278
- // one.
1279
- OPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);
1280
-
1281
- OPENSSL_EXPORT int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
1282
2063
 
1283
2064
  OPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b);
1284
2065
  OPENSSL_EXPORT unsigned long X509_issuer_name_hash(X509 *a);
@@ -1310,149 +2091,11 @@ OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,
1310
2091
  OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag,
1311
2092
  unsigned long cflag);
1312
2093
  OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x);
1313
- OPENSSL_EXPORT int X509_ocspid_print(BIO *bp, X509 *x);
1314
- OPENSSL_EXPORT int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent);
1315
2094
  OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x);
1316
2095
  OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag,
1317
2096
  unsigned long cflag);
1318
2097
  OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req);
1319
2098
 
1320
- OPENSSL_EXPORT int X509_NAME_entry_count(const X509_NAME *name);
1321
- OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid,
1322
- char *buf, int len);
1323
- OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name,
1324
- const ASN1_OBJECT *obj, char *buf,
1325
- int len);
1326
-
1327
- // NOTE: you should be passsing -1, not 0 as lastpos. The functions that use
1328
- // lastpos, search after that position on.
1329
- OPENSSL_EXPORT int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid,
1330
- int lastpos);
1331
- OPENSSL_EXPORT int X509_NAME_get_index_by_OBJ(const X509_NAME *name,
1332
- const ASN1_OBJECT *obj,
1333
- int lastpos);
1334
- OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name,
1335
- int loc);
1336
- OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name,
1337
- int loc);
1338
- OPENSSL_EXPORT int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne,
1339
- int loc, int set);
1340
- OPENSSL_EXPORT int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
1341
- int type,
1342
- const unsigned char *bytes,
1343
- int len, int loc, int set);
1344
- OPENSSL_EXPORT int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid,
1345
- int type,
1346
- const unsigned char *bytes,
1347
- int len, int loc, int set);
1348
- OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(
1349
- X509_NAME_ENTRY **ne, const char *field, int type,
1350
- const unsigned char *bytes, int len);
1351
- OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(
1352
- X509_NAME_ENTRY **ne, int nid, int type, const unsigned char *bytes,
1353
- int len);
1354
- OPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name,
1355
- const char *field, int type,
1356
- const unsigned char *bytes,
1357
- int len, int loc, int set);
1358
- OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(
1359
- X509_NAME_ENTRY **ne, const ASN1_OBJECT *obj, int type,
1360
- const unsigned char *bytes, int len);
1361
- OPENSSL_EXPORT int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
1362
- const ASN1_OBJECT *obj);
1363
- OPENSSL_EXPORT int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
1364
- const unsigned char *bytes,
1365
- int len);
1366
- OPENSSL_EXPORT ASN1_OBJECT *X509_NAME_ENTRY_get_object(
1367
- const X509_NAME_ENTRY *ne);
1368
- OPENSSL_EXPORT ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne);
1369
-
1370
- // X509v3_get_ext_count returns the number of extensions in |x|.
1371
- OPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
1372
-
1373
- // X509v3_get_ext_by_NID returns the index of the first extension in |x| with
1374
- // type |nid|, or a negative number if not found. If found, callers can use
1375
- // |X509v3_get_ext| to look up the extension by index.
1376
- //
1377
- // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
1378
- // can thus loop over all matching extensions by first passing -1 and then
1379
- // passing the previously-returned value until no match is returned.
1380
- OPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
1381
- int nid, int lastpos);
1382
-
1383
- // X509v3_get_ext_by_OBJ behaves like |X509v3_get_ext_by_NID| but looks for
1384
- // extensions matching |obj|.
1385
- OPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
1386
- const ASN1_OBJECT *obj, int lastpos);
1387
-
1388
- // X509v3_get_ext_by_critical returns the index of the first extension in |x|
1389
- // whose critical bit matches |crit|, or a negative number if no such extension
1390
- // was found.
1391
- //
1392
- // If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
1393
- // can thus loop over all matching extensions by first passing -1 and then
1394
- // passing the previously-returned value until no match is returned.
1395
- OPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
1396
- int crit, int lastpos);
1397
-
1398
- // X509v3_get_ext returns the extension in |x| at index |loc|, or NULL if |loc|
1399
- // is out of bounds.
1400
- OPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x,
1401
- int loc);
1402
-
1403
- // X509v3_delete_ext removes the extension in |x| at index |loc| and returns the
1404
- // removed extension, or NULL if |loc| was out of bounds. If an extension was
1405
- // returned, the caller must release it with |X509_EXTENSION_free|.
1406
- OPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x,
1407
- int loc);
1408
-
1409
- // X509v3_add_ext adds a copy of |ex| to the extension list in |*x|. If |*x| is
1410
- // NULL, it allocates a new |STACK_OF(X509_EXTENSION)| to hold the copy and sets
1411
- // |*x| to the new list. It returns |*x| on success and NULL on error. The
1412
- // caller retains ownership of |ex| and can release it independently of |*x|.
1413
- //
1414
- // The new extension is inserted at index |loc|, shifting extensions to the
1415
- // right. If |loc| is -1 or out of bounds, the new extension is appended to the
1416
- // list.
1417
- OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext(
1418
- STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc);
1419
-
1420
- // X509_get_ext_count returns the number of extensions in |x|.
1421
- OPENSSL_EXPORT int X509_get_ext_count(const X509 *x);
1422
-
1423
- // X509_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for
1424
- // extensions in |x|.
1425
- OPENSSL_EXPORT int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos);
1426
-
1427
- // X509_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for
1428
- // extensions in |x|.
1429
- OPENSSL_EXPORT int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj,
1430
- int lastpos);
1431
-
1432
- // X509_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but
1433
- // searches for extensions in |x|.
1434
- OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit,
1435
- int lastpos);
1436
-
1437
- // X509_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| is
1438
- // out of bounds.
1439
- OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
1440
-
1441
- // X509_delete_ext removes the extension in |x| at index |loc| and returns the
1442
- // removed extension, or NULL if |loc| was out of bounds. If non-NULL, the
1443
- // caller must release the result with |X509_EXTENSION_free|. It is also safe,
1444
- // but not necessary, to call |X509_EXTENSION_free| if the result is NULL.
1445
- OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
1446
-
1447
- // X509_add_ext adds a copy of |ex| to |x|. It returns one on success and zero
1448
- // on failure. The caller retains ownership of |ex| and can release it
1449
- // independently of |x|.
1450
- //
1451
- // The new extension is inserted at index |loc|, shifting extensions to the
1452
- // right. If |loc| is -1 or out of bounds, the new extension is appended to the
1453
- // list.
1454
- OPENSSL_EXPORT int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
1455
-
1456
2099
  // X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in
1457
2100
  // |x509|'s extension list.
1458
2101
  //
@@ -1470,43 +2113,6 @@ OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid,
1470
2113
  OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
1471
2114
  unsigned long flags);
1472
2115
 
1473
- // X509_CRL_get_ext_count returns the number of extensions in |x|.
1474
- OPENSSL_EXPORT int X509_CRL_get_ext_count(const X509_CRL *x);
1475
-
1476
- // X509_CRL_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for
1477
- // extensions in |x|.
1478
- OPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid,
1479
- int lastpos);
1480
-
1481
- // X509_CRL_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for
1482
- // extensions in |x|.
1483
- OPENSSL_EXPORT int X509_CRL_get_ext_by_OBJ(const X509_CRL *x,
1484
- const ASN1_OBJECT *obj, int lastpos);
1485
-
1486
- // X509_CRL_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but
1487
- // searches for extensions in |x|.
1488
- OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit,
1489
- int lastpos);
1490
-
1491
- // X509_CRL_get_ext returns the extension in |x| at index |loc|, or NULL if
1492
- // |loc| is out of bounds.
1493
- OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
1494
-
1495
- // X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns
1496
- // the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the
1497
- // caller must release the result with |X509_EXTENSION_free|. It is also safe,
1498
- // but not necessary, to call |X509_EXTENSION_free| if the result is NULL.
1499
- OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
1500
-
1501
- // X509_CRL_add_ext adds a copy of |ex| to |x|. It returns one on success and
1502
- // zero on failure. The caller retains ownership of |ex| and can release it
1503
- // independently of |x|.
1504
- //
1505
- // The new extension is inserted at index |loc|, shifting extensions to the
1506
- // right. If |loc| is -1 or out of bounds, the new extension is appended to the
1507
- // list.
1508
- OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
1509
-
1510
2116
  // X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the
1511
2117
  // extension in |crl|'s extension list.
1512
2118
  //
@@ -1544,15 +2150,14 @@ OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x,
1544
2150
  int crit, int lastpos);
1545
2151
 
1546
2152
  // X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if
1547
- // |loc| is out of bounds.
2153
+ // |loc| is out of bounds. This function returns a non-const pointer for OpenSSL
2154
+ // compatibility, but callers should not mutate the result.
1548
2155
  OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x,
1549
2156
  int loc);
1550
2157
 
1551
2158
  // X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and
1552
2159
  // returns the removed extension, or NULL if |loc| was out of bounds. If
1553
- // non-NULL, the caller must release the result with |X509_EXTENSION_free|. It
1554
- // is also safe, but not necessary, to call |X509_EXTENSION_free| if the result
1555
- // is NULL.
2160
+ // non-NULL, the caller must release the result with |X509_EXTENSION_free|.
1556
2161
  OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x,
1557
2162
  int loc);
1558
2163
 
@@ -1563,8 +2168,8 @@ OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x,
1563
2168
  // The new extension is inserted at index |loc|, shifting extensions to the
1564
2169
  // right. If |loc| is -1 or out of bounds, the new extension is appended to the
1565
2170
  // list.
1566
- OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex,
1567
- int loc);
2171
+ OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x,
2172
+ const X509_EXTENSION *ex, int loc);
1568
2173
 
1569
2174
  // X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the
1570
2175
  // extension in |revoked|'s extension list.
@@ -1585,47 +2190,6 @@ OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid,
1585
2190
  void *value, int crit,
1586
2191
  unsigned long flags);
1587
2192
 
1588
- // X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|,
1589
- // value |data|, and critical bit |crit|. It returns the newly-allocated
1590
- // |X509_EXTENSION| on success, and false on error. |nid| should be a |NID_*|
1591
- // constant.
1592
- //
1593
- // If |ex| and |*ex| are both non-NULL, it modifies and returns |*ex| instead of
1594
- // creating a new object. If |ex| is non-NULL, but |*ex| is NULL, it sets |*ex|
1595
- // to the new |X509_EXTENSION|, in addition to returning the result.
1596
- OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_NID(
1597
- X509_EXTENSION **ex, int nid, int crit, const ASN1_OCTET_STRING *data);
1598
-
1599
- // X509_EXTENSION_create_by_OBJ behaves like |X509_EXTENSION_create_by_NID|, but
1600
- // the extension type is determined by an |ASN1_OBJECT|.
1601
- OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_OBJ(
1602
- X509_EXTENSION **ex, const ASN1_OBJECT *obj, int crit,
1603
- const ASN1_OCTET_STRING *data);
1604
-
1605
- // X509_EXTENSION_set_object sets |ex|'s extension type to |obj|. It returns one
1606
- // on success and zero on error.
1607
- OPENSSL_EXPORT int X509_EXTENSION_set_object(X509_EXTENSION *ex,
1608
- const ASN1_OBJECT *obj);
1609
-
1610
- // X509_EXTENSION_set_critical sets |ex| to critical if |crit| is non-zero and
1611
- // to non-critical if |crit| is zero.
1612
- OPENSSL_EXPORT int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
1613
-
1614
- // X509_EXTENSION_set_data set's |ex|'s extension value to a copy of |data|. It
1615
- // returns one on success and zero on error.
1616
- OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex,
1617
- const ASN1_OCTET_STRING *data);
1618
-
1619
- // X509_EXTENSION_get_object returns |ex|'s extension type.
1620
- OPENSSL_EXPORT ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex);
1621
-
1622
- // X509_EXTENSION_get_data returns |ne|'s extension value.
1623
- OPENSSL_EXPORT ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
1624
-
1625
- // X509_EXTENSION_get_critical returns one if |ex| is critical and zero
1626
- // otherwise.
1627
- OPENSSL_EXPORT int X509_EXTENSION_get_critical(const X509_EXTENSION *ex);
1628
-
1629
2193
  // X509at_get_attr_count returns the number of attributes in |x|.
1630
2194
  OPENSSL_EXPORT int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
1631
2195
 
@@ -1727,8 +2291,6 @@ OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr,
1727
2291
  // |attr|'s type. If |len| is -1, |strlen(data)| is used instead. See
1728
2292
  // |ASN1_STRING_set_by_NID| for details.
1729
2293
  //
1730
- // TODO(davidben): Document |ASN1_STRING_set_by_NID| so the reference is useful.
1731
- //
1732
2294
  // Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an
1733
2295
  // |ASN1_STRING| type value and the |len| bytes from |data| are copied as the
1734
2296
  // type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details.
@@ -1777,25 +2339,23 @@ OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr,
1777
2339
 
1778
2340
  OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx);
1779
2341
 
1780
- // lookup a cert from a X509 STACK
1781
- OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,
1782
- X509_NAME *name,
1783
- ASN1_INTEGER *serial);
1784
- OPENSSL_EXPORT X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name);
1785
-
1786
2342
  // PKCS#8 utilities
1787
2343
 
1788
- DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
2344
+ DECLARE_ASN1_FUNCTIONS_const(PKCS8_PRIV_KEY_INFO)
1789
2345
 
1790
- OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
1791
- OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
2346
+ // EVP_PKCS82PKEY returns |p8| as a newly-allocated |EVP_PKEY|, or NULL if the
2347
+ // key was unsupported or could not be decoded. If non-NULL, the caller must
2348
+ // release the result with |EVP_PKEY_free| when done.
2349
+ //
2350
+ // Use |EVP_parse_private_key| instead.
2351
+ OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8);
1792
2352
 
1793
- OPENSSL_EXPORT int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj,
1794
- int version, int ptype, void *pval,
1795
- unsigned char *penc, int penclen);
1796
- OPENSSL_EXPORT int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg,
1797
- const unsigned char **pk, int *ppklen,
1798
- X509_ALGOR **pa, PKCS8_PRIV_KEY_INFO *p8);
2353
+ // EVP_PKEY2PKCS8 encodes |pkey| as a PKCS#8 PrivateKeyInfo (RFC 5208),
2354
+ // represented as a newly-allocated |PKCS8_PRIV_KEY_INFO|, or NULL on error. The
2355
+ // caller must release the result with |PKCS8_PRIV_KEY_INFO_free| when done.
2356
+ //
2357
+ // Use |EVP_marshal_private_key| instead.
2358
+ OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey);
1799
2359
 
1800
2360
  // X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier
1801
2361
  // determined by |obj|, |param_type|, and |param_value|, and an encoded
@@ -1852,7 +2412,7 @@ struct rsa_pss_params_st {
1852
2412
  X509_ALGOR *maskHash;
1853
2413
  } /* RSA_PSS_PARAMS */;
1854
2414
 
1855
- DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
2415
+ DECLARE_ASN1_FUNCTIONS_const(RSA_PSS_PARAMS)
1856
2416
 
1857
2417
  /*
1858
2418
  SSL_CTX -> X509_STORE
@@ -1977,14 +2537,6 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
1977
2537
  #define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
1978
2538
  #define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
1979
2539
 
1980
- // Suite B mode algorithm violation
1981
- #define X509_V_ERR_SUITE_B_INVALID_VERSION 56
1982
- #define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57
1983
- #define X509_V_ERR_SUITE_B_INVALID_CURVE 58
1984
- #define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59
1985
- #define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60
1986
- #define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
1987
-
1988
2540
  // Host, email and IP check errors
1989
2541
  #define X509_V_ERR_HOSTNAME_MISMATCH 62
1990
2542
  #define X509_V_ERR_EMAIL_MISMATCH 63
@@ -2011,7 +2563,7 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
2011
2563
  #define X509_V_FLAG_IGNORE_CRITICAL 0x10
2012
2564
  // Does nothing as its functionality has been enabled by default.
2013
2565
  #define X509_V_FLAG_X509_STRICT 0x00
2014
- // Enable proxy certificate validation
2566
+ // This flag does nothing as proxy certificate support has been removed.
2015
2567
  #define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
2016
2568
  // Enable policy checking
2017
2569
  #define X509_V_FLAG_POLICY_CHECK 0x80
@@ -2031,12 +2583,6 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
2031
2583
  #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
2032
2584
  // Use trusted store first
2033
2585
  #define X509_V_FLAG_TRUSTED_FIRST 0x8000
2034
- // Suite B 128 bit only mode: not normally used
2035
- #define X509_V_FLAG_SUITEB_128_LOS_ONLY 0x10000
2036
- // Suite B 192 bit only mode
2037
- #define X509_V_FLAG_SUITEB_192_LOS 0x20000
2038
- // Suite B 128 bit mode allowing 192 bit algorithms
2039
- #define X509_V_FLAG_SUITEB_128_LOS 0x30000
2040
2586
 
2041
2587
  // Allow partial chains if at least one certificate is in trusted store
2042
2588
  #define X509_V_FLAG_PARTIAL_CHAIN 0x80000
@@ -2046,6 +2592,10 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
2046
2592
  // will force the behaviour to match that of previous versions.
2047
2593
  #define X509_V_FLAG_NO_ALT_CHAINS 0x100000
2048
2594
 
2595
+ // X509_V_FLAG_NO_CHECK_TIME disables all time checks in certificate
2596
+ // verification.
2597
+ #define X509_V_FLAG_NO_CHECK_TIME 0x200000
2598
+
2049
2599
  #define X509_VP_FLAG_DEFAULT 0x1
2050
2600
  #define X509_VP_FLAG_OVERWRITE 0x2
2051
2601
  #define X509_VP_FLAG_RESET_FLAGS 0x4
@@ -2144,8 +2694,21 @@ OPENSSL_EXPORT void X509_STORE_CTX_zero(X509_STORE_CTX *ctx);
2144
2694
  OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
2145
2695
  OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
2146
2696
  X509 *x509, STACK_OF(X509) *chain);
2697
+
2698
+ // X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates
2699
+ // in |sk|. |sk| must remain valid for the duration of |ctx|.
2700
+ //
2701
+ // WARNING: This function differs from most |set0| functions in that it does not
2702
+ // take ownership of its input. The caller is required to ensure the lifetimes
2703
+ // are consistent.
2704
+ OPENSSL_EXPORT void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx,
2705
+ STACK_OF(X509) *sk);
2706
+
2707
+ // X509_STORE_CTX_trusted_stack is a deprecated alias for
2708
+ // |X509_STORE_CTX_set0_trusted_stack|.
2147
2709
  OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx,
2148
2710
  STACK_OF(X509) *sk);
2711
+
2149
2712
  OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
2150
2713
 
2151
2714
  OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx);
@@ -2180,15 +2743,6 @@ OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx);
2180
2743
  OPENSSL_EXPORT int X509_LOOKUP_init(X509_LOOKUP *ctx);
2181
2744
  OPENSSL_EXPORT int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type,
2182
2745
  X509_NAME *name, X509_OBJECT *ret);
2183
- OPENSSL_EXPORT int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type,
2184
- X509_NAME *name,
2185
- ASN1_INTEGER *serial,
2186
- X509_OBJECT *ret);
2187
- OPENSSL_EXPORT int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
2188
- unsigned char *bytes, int len,
2189
- X509_OBJECT *ret);
2190
- OPENSSL_EXPORT int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str,
2191
- int len, X509_OBJECT *ret);
2192
2746
  OPENSSL_EXPORT int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
2193
2747
 
2194
2748
  #ifndef OPENSSL_NO_STDIO
@@ -2196,14 +2750,6 @@ OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
2196
2750
  const char *dir);
2197
2751
  OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *ctx);
2198
2752
  #endif
2199
-
2200
- OPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
2201
- CRYPTO_EX_unused *unused,
2202
- CRYPTO_EX_dup *dup_unused,
2203
- CRYPTO_EX_free *free_func);
2204
- OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx,
2205
- void *data);
2206
- OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx);
2207
2753
  OPENSSL_EXPORT int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
2208
2754
  OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
2209
2755
  OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
@@ -2231,13 +2777,12 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx,
2231
2777
  unsigned long flags);
2232
2778
  OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx,
2233
2779
  unsigned long flags, time_t t);
2780
+ OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx,
2781
+ unsigned long flags,
2782
+ int64_t t);
2234
2783
  OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb(
2235
2784
  X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *));
2236
2785
 
2237
- OPENSSL_EXPORT X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(
2238
- X509_STORE_CTX *ctx);
2239
- OPENSSL_EXPORT int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
2240
-
2241
2786
  OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(
2242
2787
  X509_STORE_CTX *ctx);
2243
2788
  OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx,
@@ -2269,10 +2814,12 @@ OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param,
2269
2814
  int depth);
2270
2815
  OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param,
2271
2816
  time_t t);
2817
+ OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param,
2818
+ int64_t t);
2272
2819
  OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
2273
2820
  ASN1_OBJECT *policy);
2274
2821
  OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies(
2275
- X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies);
2822
+ X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies);
2276
2823
 
2277
2824
  OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
2278
2825
  const char *name,
@@ -2303,37 +2850,6 @@ OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(
2303
2850
  const char *name);
2304
2851
  OPENSSL_EXPORT void X509_VERIFY_PARAM_table_cleanup(void);
2305
2852
 
2306
- OPENSSL_EXPORT int X509_policy_check(X509_POLICY_TREE **ptree,
2307
- int *pexplicit_policy,
2308
- STACK_OF(X509) *certs,
2309
- STACK_OF(ASN1_OBJECT) *policy_oids,
2310
- unsigned int flags);
2311
-
2312
- OPENSSL_EXPORT void X509_policy_tree_free(X509_POLICY_TREE *tree);
2313
-
2314
- OPENSSL_EXPORT int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
2315
- OPENSSL_EXPORT X509_POLICY_LEVEL *X509_policy_tree_get0_level(
2316
- const X509_POLICY_TREE *tree, int i);
2317
-
2318
- OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies(
2319
- const X509_POLICY_TREE *tree);
2320
-
2321
- OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies(
2322
- const X509_POLICY_TREE *tree);
2323
-
2324
- OPENSSL_EXPORT int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
2325
-
2326
- OPENSSL_EXPORT X509_POLICY_NODE *X509_policy_level_get0_node(
2327
- X509_POLICY_LEVEL *level, int i);
2328
-
2329
- OPENSSL_EXPORT const ASN1_OBJECT *X509_policy_node_get0_policy(
2330
- const X509_POLICY_NODE *node);
2331
-
2332
- OPENSSL_EXPORT STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(
2333
- const X509_POLICY_NODE *node);
2334
- OPENSSL_EXPORT const X509_POLICY_NODE *X509_policy_node_get0_parent(
2335
- const X509_POLICY_NODE *node);
2336
-
2337
2853
 
2338
2854
  #if defined(__cplusplus)
2339
2855
  } // extern C
@@ -2352,14 +2868,12 @@ BORINGSSL_MAKE_DELETER(X509_ALGOR, X509_ALGOR_free)
2352
2868
  BORINGSSL_MAKE_DELETER(X509_ATTRIBUTE, X509_ATTRIBUTE_free)
2353
2869
  BORINGSSL_MAKE_DELETER(X509_CRL, X509_CRL_free)
2354
2870
  BORINGSSL_MAKE_UP_REF(X509_CRL, X509_CRL_up_ref)
2355
- BORINGSSL_MAKE_DELETER(X509_CRL_METHOD, X509_CRL_METHOD_free)
2356
2871
  BORINGSSL_MAKE_DELETER(X509_EXTENSION, X509_EXTENSION_free)
2357
2872
  BORINGSSL_MAKE_DELETER(X509_INFO, X509_INFO_free)
2358
2873
  BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free)
2359
2874
  BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free)
2360
2875
  BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free)
2361
2876
  BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free)
2362
- BORINGSSL_MAKE_DELETER(X509_POLICY_TREE, X509_policy_tree_free)
2363
2877
  BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free)
2364
2878
  BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free)
2365
2879
  BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free)
@@ -2415,5 +2929,9 @@ BSSL_NAMESPACE_END
2415
2929
  #define X509_R_DELTA_CRL_WITHOUT_CRL_NUMBER 138
2416
2930
  #define X509_R_INVALID_FIELD_FOR_VERSION 139
2417
2931
  #define X509_R_INVALID_VERSION 140
2932
+ #define X509_R_NO_CERTIFICATE_FOUND 141
2933
+ #define X509_R_NO_CERTIFICATE_OR_CRL_FOUND 142
2934
+ #define X509_R_NO_CRL_FOUND 143
2935
+ #define X509_R_INVALID_POLICY_EXTENSION 144
2418
2936
 
2419
- #endif
2937
+ #endif // OPENSSL_HEADER_X509_H