grpc 1.53.2 → 1.54.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +78 -66
- data/include/grpc/event_engine/event_engine.h +30 -14
- data/include/grpc/grpc_security.h +4 -0
- data/include/grpc/support/port_platform.h +4 -4
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
- data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
- data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
- data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
- data/src/core/ext/filters/client_channel/client_channel.h +131 -173
- data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
- data/src/core/ext/filters/client_channel/config_selector.h +4 -3
- data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2 -16
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
- data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
- data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
- data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
- data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
- data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
- data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
- data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
- data/src/core/ext/gcp/metadata_query.cc +142 -0
- data/src/core/ext/gcp/metadata_query.h +82 -0
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +8 -12
- data/src/core/ext/transport/chttp2/transport/bin_encoder.h +1 -5
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +116 -58
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
- data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +222 -118
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +113 -295
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +0 -2
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.h +0 -2
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +277 -451
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +1 -3
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +12 -14
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +1 -9
- data/src/core/ext/transport/chttp2/transport/internal.h +16 -3
- data/src/core/ext/transport/chttp2/transport/parsing.cc +3 -2
- data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
- data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
- data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
- data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
- data/src/core/ext/xds/xds_client_stats.cc +29 -15
- data/src/core/ext/xds/xds_client_stats.h +24 -20
- data/src/core/ext/xds/xds_endpoint.cc +5 -2
- data/src/core/ext/xds/xds_endpoint.h +9 -1
- data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
- data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
- data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
- data/src/core/lib/channel/call_finalization.h +1 -1
- data/src/core/lib/channel/call_tracer.cc +51 -0
- data/src/core/lib/channel/call_tracer.h +101 -38
- data/src/core/lib/channel/connected_channel.cc +483 -1050
- data/src/core/lib/channel/context.h +8 -1
- data/src/core/lib/channel/promise_based_filter.cc +106 -42
- data/src/core/lib/channel/promise_based_filter.h +27 -13
- data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
- data/src/core/lib/config/config_vars.cc +151 -0
- data/src/core/lib/config/config_vars.h +127 -0
- data/src/core/lib/config/config_vars_non_generated.cc +51 -0
- data/src/core/lib/config/load_config.cc +66 -0
- data/src/core/lib/config/load_config.h +49 -0
- data/src/core/lib/debug/trace.cc +5 -6
- data/src/core/lib/debug/trace.h +0 -5
- data/src/core/lib/event_engine/event_engine.cc +37 -2
- data/src/core/lib/event_engine/handle_containers.h +7 -22
- data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
- data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
- data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
- data/src/core/lib/event_engine/posix_engine/posix_engine.h +0 -1
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -32
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +0 -3
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
- data/src/core/lib/event_engine/resolved_address.cc +2 -1
- data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
- data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
- data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
- data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
- data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
- data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
- data/src/core/lib/experiments/config.cc +3 -10
- data/src/core/lib/experiments/experiments.cc +7 -0
- data/src/core/lib/experiments/experiments.h +9 -1
- data/src/core/lib/gpr/log.cc +15 -28
- data/src/core/lib/gprpp/fork.cc +8 -14
- data/src/core/lib/gprpp/orphanable.h +4 -3
- data/src/core/lib/gprpp/per_cpu.h +9 -3
- data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
- data/src/core/lib/gprpp/ref_counted.h +33 -34
- data/src/core/lib/gprpp/thd.h +16 -0
- data/src/core/lib/gprpp/time.cc +1 -0
- data/src/core/lib/gprpp/time.h +4 -4
- data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
- data/src/core/lib/iomgr/call_combiner.h +2 -2
- data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
- data/src/core/lib/iomgr/ev_posix.cc +13 -53
- data/src/core/lib/iomgr/ev_posix.h +0 -3
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
- data/src/core/lib/iomgr/iomgr.cc +4 -8
- data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
- data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
- data/src/core/lib/iomgr/pollset_windows.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
- data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
- data/src/core/lib/iomgr/tcp_posix.cc +0 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +19 -55
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +0 -12
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +0 -21
- data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
- data/src/core/lib/iomgr/tcp_windows.cc +12 -8
- data/src/core/lib/load_balancing/lb_policy.cc +9 -13
- data/src/core/lib/load_balancing/lb_policy.h +4 -2
- data/src/core/lib/promise/activity.cc +22 -6
- data/src/core/lib/promise/activity.h +61 -24
- data/src/core/lib/promise/cancel_callback.h +77 -0
- data/src/core/lib/promise/detail/basic_seq.h +1 -1
- data/src/core/lib/promise/detail/promise_factory.h +4 -0
- data/src/core/lib/promise/for_each.h +176 -0
- data/src/core/lib/promise/if.h +9 -0
- data/src/core/lib/promise/interceptor_list.h +23 -2
- data/src/core/lib/promise/latch.h +89 -3
- data/src/core/lib/promise/loop.h +13 -9
- data/src/core/lib/promise/map.h +7 -0
- data/src/core/lib/promise/party.cc +286 -0
- data/src/core/lib/promise/party.h +499 -0
- data/src/core/lib/promise/pipe.h +197 -57
- data/src/core/lib/promise/poll.h +48 -0
- data/src/core/lib/promise/promise.h +2 -2
- data/src/core/lib/resource_quota/arena.cc +19 -3
- data/src/core/lib/resource_quota/arena.h +119 -5
- data/src/core/lib/resource_quota/memory_quota.cc +1 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
- data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
- data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
- data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
- data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
- data/src/core/lib/slice/slice.cc +1 -1
- data/src/core/lib/surface/builtins.cc +2 -0
- data/src/core/lib/surface/call.cc +926 -1024
- data/src/core/lib/surface/call.h +10 -0
- data/src/core/lib/surface/lame_client.cc +1 -0
- data/src/core/lib/surface/validate_metadata.cc +42 -43
- data/src/core/lib/surface/validate_metadata.h +0 -9
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/batch_builder.cc +179 -0
- data/src/core/lib/transport/batch_builder.h +468 -0
- data/src/core/lib/transport/bdp_estimator.cc +7 -7
- data/src/core/lib/transport/bdp_estimator.h +10 -6
- data/src/core/lib/transport/custom_metadata.h +30 -0
- data/src/core/lib/transport/metadata_batch.cc +5 -2
- data/src/core/lib/transport/metadata_batch.h +17 -113
- data/src/core/lib/transport/parsed_metadata.h +6 -16
- data/src/core/lib/transport/timeout_encoding.cc +6 -1
- data/src/core/lib/transport/transport.cc +30 -2
- data/src/core/lib/transport/transport.h +70 -14
- data/src/core/lib/transport/transport_impl.h +7 -0
- data/src/core/lib/transport/transport_op_string.cc +52 -42
- data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
- data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
- data/src/core/tsi/ssl_transport_security.cc +4 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/abseil-cpp/absl/base/config.h +1 -1
- data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
- data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
- data/third_party/abseil-cpp/absl/flags/config.h +68 -0
- data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
- data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
- data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
- data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
- data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
- data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
- data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
- data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
- data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
- data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
- data/third_party/boringssl-with-bazel/err_data.c +728 -712
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
- data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
- data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
- data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
- data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
- data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
- data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
- data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
- data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
- data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
- data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
- data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
- data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
- data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
- data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
- data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
- data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
- data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
- data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
- data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
- data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
- data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
- metadata +103 -70
- data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
- data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
- data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.h +0 -29
- data/src/core/lib/gprpp/global_config.h +0 -93
- data/src/core/lib/gprpp/global_config_env.cc +0 -140
- data/src/core/lib/gprpp/global_config_env.h +0 -133
- data/src/core/lib/gprpp/global_config_generic.h +0 -40
- data/src/core/lib/promise/intra_activity_waiter.h +0 -55
- data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
- data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
- data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
- data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
- /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
- /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
- /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
- /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
- /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
- /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
- /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -60,8 +60,8 @@
|
|
60
60
|
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
61
61
|
*/
|
62
62
|
|
63
|
-
#ifndef
|
64
|
-
#define
|
63
|
+
#ifndef OPENSSL_HEADER_X509_H
|
64
|
+
#define OPENSSL_HEADER_X509_H
|
65
65
|
|
66
66
|
#include <openssl/asn1.h>
|
67
67
|
#include <openssl/base.h>
|
@@ -90,10 +90,1475 @@ extern "C" {
|
|
90
90
|
// Legacy X.509 library.
|
91
91
|
//
|
92
92
|
// This header is part of OpenSSL's X.509 implementation. It is retained for
|
93
|
-
// compatibility but
|
94
|
-
//
|
93
|
+
// compatibility but should not be used by new code. The functions are difficult
|
94
|
+
// to use correctly, and have buggy or non-standard behaviors. They are thus
|
95
|
+
// particularly prone to behavior changes and API removals, as BoringSSL
|
96
|
+
// iterates on these issues.
|
97
|
+
//
|
98
|
+
// In the future, a replacement library will be available. Meanwhile, minimize
|
95
99
|
// dependencies on this header where possible.
|
100
|
+
//
|
101
|
+
// TODO(https://crbug.com/boringssl/426): Documentation for this library is
|
102
|
+
// still in progress. Some functions have not yet been documented, and some
|
103
|
+
// functions have not yet been grouped into sections.
|
104
|
+
|
105
|
+
|
106
|
+
// Certificates.
|
107
|
+
//
|
108
|
+
// An |X509| object represents an X.509 certificate, defined in RFC 5280.
|
109
|
+
//
|
110
|
+
// Although an |X509| is a mutable object, mutating an |X509| can give incorrect
|
111
|
+
// results. Callers typically obtain |X509|s by parsing some input with
|
112
|
+
// |d2i_X509|, etc. Such objects carry information such as the serialized
|
113
|
+
// TBSCertificate and decoded extensions, which will become inconsistent when
|
114
|
+
// mutated.
|
115
|
+
//
|
116
|
+
// Instead, mutation functions should only be used when issuing new
|
117
|
+
// certificates, as described in a later section.
|
118
|
+
|
119
|
+
DEFINE_STACK_OF(X509)
|
120
|
+
|
121
|
+
// X509 is an |ASN1_ITEM| whose ASN.1 type is X.509 Certificate (RFC 5280) and C
|
122
|
+
// type is |X509*|.
|
123
|
+
DECLARE_ASN1_ITEM(X509)
|
124
|
+
|
125
|
+
// X509_up_ref adds one to the reference count of |x509| and returns one.
|
126
|
+
OPENSSL_EXPORT int X509_up_ref(X509 *x509);
|
127
|
+
|
128
|
+
// X509_chain_up_ref returns a newly-allocated |STACK_OF(X509)| containing a
|
129
|
+
// shallow copy of |chain|, or NULL on error. That is, the return value has the
|
130
|
+
// same contents as |chain|, and each |X509|'s reference count is incremented by
|
131
|
+
// one.
|
132
|
+
OPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);
|
133
|
+
|
134
|
+
// X509_dup returns a newly-allocated copy of |x509|, or NULL on error. This
|
135
|
+
// function works by serializing the structure, so auxiliary properties (see
|
136
|
+
// |i2d_X509_AUX|) are not preserved. Additionally, if |x509| is incomplete,
|
137
|
+
// this function may fail.
|
138
|
+
//
|
139
|
+
// TODO(https://crbug.com/boringssl/407): This function should be const and
|
140
|
+
// thread-safe but is currently neither in some cases, notably if |crl| was
|
141
|
+
// mutated.
|
142
|
+
OPENSSL_EXPORT X509 *X509_dup(X509 *x509);
|
143
|
+
|
144
|
+
// X509_free decrements |x509|'s reference count and, if zero, releases memory
|
145
|
+
// associated with |x509|.
|
146
|
+
OPENSSL_EXPORT void X509_free(X509 *x509);
|
147
|
+
|
148
|
+
// d2i_X509 parses up to |len| bytes from |*inp| as a DER-encoded X.509
|
149
|
+
// Certificate (RFC 5280), as described in |d2i_SAMPLE|.
|
150
|
+
OPENSSL_EXPORT X509 *d2i_X509(X509 **out, const uint8_t **inp, long len);
|
151
|
+
|
152
|
+
// X509_parse_from_buffer parses an X.509 structure from |buf| and returns a
|
153
|
+
// fresh X509 or NULL on error. There must not be any trailing data in |buf|.
|
154
|
+
// The returned structure (if any) holds a reference to |buf| rather than
|
155
|
+
// copying parts of it as a normal |d2i_X509| call would do.
|
156
|
+
OPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf);
|
157
|
+
|
158
|
+
// i2d_X509 marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280), as
|
159
|
+
// described in |i2d_SAMPLE|.
|
160
|
+
//
|
161
|
+
// TODO(https://crbug.com/boringssl/407): This function should be const and
|
162
|
+
// thread-safe but is currently neither in some cases, notably if |x509| was
|
163
|
+
// mutated.
|
164
|
+
OPENSSL_EXPORT int i2d_X509(X509 *x509, uint8_t **outp);
|
165
|
+
|
166
|
+
// X509_VERSION_* are X.509 version numbers. Note the numerical values of all
|
167
|
+
// defined X.509 versions are one less than the named version.
|
168
|
+
#define X509_VERSION_1 0
|
169
|
+
#define X509_VERSION_2 1
|
170
|
+
#define X509_VERSION_3 2
|
171
|
+
|
172
|
+
// X509_get_version returns the numerical value of |x509|'s version, which will
|
173
|
+
// be one of the |X509_VERSION_*| constants.
|
174
|
+
OPENSSL_EXPORT long X509_get_version(const X509 *x509);
|
175
|
+
|
176
|
+
// X509_get0_serialNumber returns |x509|'s serial number.
|
177
|
+
OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509);
|
178
|
+
|
179
|
+
// X509_get0_notBefore returns |x509|'s notBefore time.
|
180
|
+
OPENSSL_EXPORT const ASN1_TIME *X509_get0_notBefore(const X509 *x509);
|
181
|
+
|
182
|
+
// X509_get0_notAfter returns |x509|'s notAfter time.
|
183
|
+
OPENSSL_EXPORT const ASN1_TIME *X509_get0_notAfter(const X509 *x509);
|
184
|
+
|
185
|
+
// X509_get_issuer_name returns |x509|'s issuer.
|
186
|
+
OPENSSL_EXPORT X509_NAME *X509_get_issuer_name(const X509 *x509);
|
187
|
+
|
188
|
+
// X509_get_subject_name returns |x509|'s subject.
|
189
|
+
OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509);
|
190
|
+
|
191
|
+
// X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is
|
192
|
+
// not const-correct for legacy reasons. Callers should not modify the returned
|
193
|
+
// object.
|
194
|
+
OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509);
|
195
|
+
|
196
|
+
// X509_get_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the
|
197
|
+
// public key was unsupported or could not be decoded. This function returns a
|
198
|
+
// reference to the |EVP_PKEY|. The caller must release the result with
|
199
|
+
// |EVP_PKEY_free| when done.
|
200
|
+
OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x509);
|
201
|
+
|
202
|
+
// X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public
|
203
|
+
// key. Note this does not contain the AlgorithmIdentifier portion.
|
204
|
+
//
|
205
|
+
// WARNING: This function returns a non-const pointer for OpenSSL compatibility,
|
206
|
+
// but the caller must not modify the resulting object. Doing so will break
|
207
|
+
// internal invariants in |x509|.
|
208
|
+
OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509);
|
209
|
+
|
210
|
+
// X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the
|
211
|
+
// issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly
|
212
|
+
// outputs |x509|'s subjectUID field to |*out_subject_uid|.
|
213
|
+
//
|
214
|
+
// Callers may pass NULL to either |out_issuer_uid| or |out_subject_uid| to
|
215
|
+
// ignore the corresponding field.
|
216
|
+
OPENSSL_EXPORT void X509_get0_uids(const X509 *x509,
|
217
|
+
const ASN1_BIT_STRING **out_issuer_uid,
|
218
|
+
const ASN1_BIT_STRING **out_subject_uid);
|
219
|
+
|
220
|
+
// X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits
|
221
|
+
// it.
|
222
|
+
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions(
|
223
|
+
const X509 *x509);
|
224
|
+
|
225
|
+
// X509_get_ext_count returns the number of extensions in |x|.
|
226
|
+
OPENSSL_EXPORT int X509_get_ext_count(const X509 *x);
|
227
|
+
|
228
|
+
// X509_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for
|
229
|
+
// extensions in |x|.
|
230
|
+
OPENSSL_EXPORT int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos);
|
231
|
+
|
232
|
+
// X509_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for
|
233
|
+
// extensions in |x|.
|
234
|
+
OPENSSL_EXPORT int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj,
|
235
|
+
int lastpos);
|
236
|
+
|
237
|
+
// X509_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but
|
238
|
+
// searches for extensions in |x|.
|
239
|
+
OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit,
|
240
|
+
int lastpos);
|
241
|
+
|
242
|
+
// X509_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| is
|
243
|
+
// out of bounds. This function returns a non-const pointer for OpenSSL
|
244
|
+
// compatibility, but callers should not mutate the result.
|
245
|
+
OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
|
246
|
+
|
247
|
+
// X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s
|
248
|
+
// TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|.
|
249
|
+
//
|
250
|
+
// Certificates with mismatched signature algorithms will successfully parse,
|
251
|
+
// but they will be rejected when verifying.
|
252
|
+
OPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x509);
|
253
|
+
|
254
|
+
// X509_get0_signature sets |*out_sig| and |*out_alg| to the signature and
|
255
|
+
// signature algorithm of |x509|, respectively. Either output pointer may be
|
256
|
+
// NULL to ignore the value.
|
257
|
+
//
|
258
|
+
// This function outputs the outer signature algorithm. For the one in the
|
259
|
+
// TBSCertificate, see |X509_get0_tbs_sigalg|. Certificates with mismatched
|
260
|
+
// signature algorithms will successfully parse, but they will be rejected when
|
261
|
+
// verifying.
|
262
|
+
OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig,
|
263
|
+
const X509_ALGOR **out_alg,
|
264
|
+
const X509 *x509);
|
265
|
+
|
266
|
+
// X509_get_signature_nid returns the NID corresponding to |x509|'s signature
|
267
|
+
// algorithm, or |NID_undef| if the signature algorithm does not correspond to
|
268
|
+
// a known NID.
|
269
|
+
OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509);
|
270
|
+
|
271
|
+
// i2d_X509_tbs serializes the TBSCertificate portion of |x509|, as described in
|
272
|
+
// |i2d_SAMPLE|.
|
273
|
+
//
|
274
|
+
// This function preserves the original encoding of the TBSCertificate and may
|
275
|
+
// not reflect modifications made to |x509|. It may be used to manually verify
|
276
|
+
// the signature of an existing certificate. To generate certificates, use
|
277
|
+
// |i2d_re_X509_tbs| instead.
|
278
|
+
OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp);
|
279
|
+
|
280
|
+
|
281
|
+
// Issuing certificates.
|
282
|
+
//
|
283
|
+
// An |X509| object may also represent an incomplete certificate. Callers may
|
284
|
+
// construct empty |X509| objects, fill in fields individually, and finally sign
|
285
|
+
// the result. The following functions may be used for this purpose.
|
286
|
+
|
287
|
+
// X509_new returns a newly-allocated, empty |X509| object, or NULL on error.
|
288
|
+
// This produces an incomplete certificate which may be filled in to issue a new
|
289
|
+
// certificate.
|
290
|
+
OPENSSL_EXPORT X509 *X509_new(void);
|
291
|
+
|
292
|
+
// X509_set_version sets |x509|'s version to |version|, which should be one of
|
293
|
+
// the |X509V_VERSION_*| constants. It returns one on success and zero on error.
|
294
|
+
//
|
295
|
+
// If unsure, use |X509_VERSION_3|.
|
296
|
+
OPENSSL_EXPORT int X509_set_version(X509 *x509, long version);
|
297
|
+
|
298
|
+
// X509_set_serialNumber sets |x509|'s serial number to |serial|. It returns one
|
299
|
+
// on success and zero on error.
|
300
|
+
OPENSSL_EXPORT int X509_set_serialNumber(X509 *x509,
|
301
|
+
const ASN1_INTEGER *serial);
|
302
|
+
|
303
|
+
// X509_set1_notBefore sets |x509|'s notBefore time to |tm|. It returns one on
|
304
|
+
// success and zero on error.
|
305
|
+
OPENSSL_EXPORT int X509_set1_notBefore(X509 *x509, const ASN1_TIME *tm);
|
306
|
+
|
307
|
+
// X509_set1_notAfter sets |x509|'s notAfter time to |tm|. it returns one on
|
308
|
+
// success and zero on error.
|
309
|
+
OPENSSL_EXPORT int X509_set1_notAfter(X509 *x509, const ASN1_TIME *tm);
|
310
|
+
|
311
|
+
// X509_getm_notBefore returns a mutable pointer to |x509|'s notBefore time.
|
312
|
+
OPENSSL_EXPORT ASN1_TIME *X509_getm_notBefore(X509 *x509);
|
313
|
+
|
314
|
+
// X509_getm_notAfter returns a mutable pointer to |x509|'s notAfter time.
|
315
|
+
OPENSSL_EXPORT ASN1_TIME *X509_getm_notAfter(X509 *x);
|
316
|
+
|
317
|
+
// X509_set_issuer_name sets |x509|'s issuer to a copy of |name|. It returns one
|
318
|
+
// on success and zero on error.
|
319
|
+
OPENSSL_EXPORT int X509_set_issuer_name(X509 *x509, X509_NAME *name);
|
320
|
+
|
321
|
+
// X509_set_subject_name sets |x509|'s subject to a copy of |name|. It returns
|
322
|
+
// one on success and zero on error.
|
323
|
+
OPENSSL_EXPORT int X509_set_subject_name(X509 *x509, X509_NAME *name);
|
324
|
+
|
325
|
+
// X509_set_pubkey sets |x509|'s public key to |pkey|. It returns one on success
|
326
|
+
// and zero on error. This function does not take ownership of |pkey| and
|
327
|
+
// internally copies and updates reference counts as needed.
|
328
|
+
OPENSSL_EXPORT int X509_set_pubkey(X509 *x509, EVP_PKEY *pkey);
|
329
|
+
|
330
|
+
// X509_delete_ext removes the extension in |x| at index |loc| and returns the
|
331
|
+
// removed extension, or NULL if |loc| was out of bounds. If non-NULL, the
|
332
|
+
// caller must release the result with |X509_EXTENSION_free|.
|
333
|
+
OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
|
334
|
+
|
335
|
+
// X509_add_ext adds a copy of |ex| to |x|. It returns one on success and zero
|
336
|
+
// on failure. The caller retains ownership of |ex| and can release it
|
337
|
+
// independently of |x|.
|
338
|
+
//
|
339
|
+
// The new extension is inserted at index |loc|, shifting extensions to the
|
340
|
+
// right. If |loc| is -1 or out of bounds, the new extension is appended to the
|
341
|
+
// list.
|
342
|
+
OPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc);
|
343
|
+
|
344
|
+
// X509_sign signs |x509| with |pkey| and replaces the signature algorithm and
|
345
|
+
// signature fields. It returns one on success and zero on error. This function
|
346
|
+
// uses digest algorithm |md|, or |pkey|'s default if NULL. Other signing
|
347
|
+
// parameters use |pkey|'s defaults. To customize them, use |X509_sign_ctx|.
|
348
|
+
OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md);
|
349
|
+
|
350
|
+
// X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm
|
351
|
+
// and signature fields. It returns one on success and zero on error. The
|
352
|
+
// signature algorithm and parameters come from |ctx|, which must have been
|
353
|
+
// initialized with |EVP_DigestSignInit|. The caller should configure the
|
354
|
+
// corresponding |EVP_PKEY_CTX| before calling this function.
|
355
|
+
OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx);
|
356
|
+
|
357
|
+
// i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described
|
358
|
+
// in |i2d_SAMPLE|.
|
359
|
+
//
|
360
|
+
// This function re-encodes the TBSCertificate and may not reflect |x509|'s
|
361
|
+
// original encoding. It may be used to manually generate a signature for a new
|
362
|
+
// certificate. To verify certificates, use |i2d_X509_tbs| instead.
|
363
|
+
OPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, unsigned char **outp);
|
364
|
+
|
365
|
+
// X509_set1_signature_algo sets |x509|'s signature algorithm to |algo| and
|
366
|
+
// returns one on success or zero on error. It updates both the signature field
|
367
|
+
// of the TBSCertificate structure, and the signatureAlgorithm field of the
|
368
|
+
// Certificate.
|
369
|
+
OPENSSL_EXPORT int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo);
|
370
|
+
|
371
|
+
// X509_set1_signature_value sets |x509|'s signature to a copy of the |sig_len|
|
372
|
+
// bytes pointed by |sig|. It returns one on success and zero on error.
|
373
|
+
//
|
374
|
+
// Due to a specification error, X.509 certificates store signatures in ASN.1
|
375
|
+
// BIT STRINGs, but signature algorithms return byte strings rather than bit
|
376
|
+
// strings. This function creates a BIT STRING containing a whole number of
|
377
|
+
// bytes, with the bit order matching the DER encoding. This matches the
|
378
|
+
// encoding used by all X.509 signature algorithms.
|
379
|
+
OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig,
|
380
|
+
size_t sig_len);
|
381
|
+
|
382
|
+
|
383
|
+
// Auxiliary certificate properties.
|
384
|
+
//
|
385
|
+
// |X509| objects optionally maintain auxiliary properties. These are not part
|
386
|
+
// of the certificates themselves, and thus are not covered by signatures or
|
387
|
+
// preserved by the standard serialization. They are used as inputs or outputs
|
388
|
+
// to other functions in this library.
|
389
|
+
|
390
|
+
// i2d_X509_AUX marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280),
|
391
|
+
// followed optionally by a separate, OpenSSL-specific structure with auxiliary
|
392
|
+
// properties. It behaves as described in |i2d_SAMPLE|.
|
393
|
+
//
|
394
|
+
// Unlike similarly-named functions, this function does not output a single
|
395
|
+
// ASN.1 element. Directly embedding the output in a larger ASN.1 structure will
|
396
|
+
// not behave correctly.
|
397
|
+
OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, unsigned char **outp);
|
398
|
+
|
399
|
+
// d2i_X509_AUX parses up to |length| bytes from |*inp| as a DER-encoded X.509
|
400
|
+
// Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific
|
401
|
+
// structure with auxiliary properties. It behaves as described in |d2i_SAMPLE|.
|
402
|
+
//
|
403
|
+
// Some auxiliary properties affect trust decisions, so this function should not
|
404
|
+
// be used with untrusted input.
|
405
|
+
//
|
406
|
+
// Unlike similarly-named functions, this function does not parse a single
|
407
|
+
// ASN.1 element. Trying to parse data directly embedded in a larger ASN.1
|
408
|
+
// structure will not behave correctly.
|
409
|
+
OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const unsigned char **inp,
|
410
|
+
long length);
|
411
|
+
|
412
|
+
// X509_alias_set1 sets |x509|'s alias to |len| bytes from |name|. If |name| is
|
413
|
+
// NULL, the alias is cleared instead. Aliases are not part of the certificate
|
414
|
+
// itself and will not be serialized by |i2d_X509|.
|
415
|
+
OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const unsigned char *name,
|
416
|
+
int len);
|
417
|
+
|
418
|
+
// X509_keyid_set1 sets |x509|'s key ID to |len| bytes from |id|. If |id| is
|
419
|
+
// NULL, the key ID is cleared instead. Key IDs are not part of the certificate
|
420
|
+
// itself and will not be serialized by |i2d_X509|.
|
421
|
+
OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const unsigned char *id,
|
422
|
+
int len);
|
423
|
+
|
424
|
+
// X509_alias_get0 looks up |x509|'s alias. If found, it sets |*out_len| to the
|
425
|
+
// alias's length and returns a pointer to a buffer containing the contents. If
|
426
|
+
// not found, it outputs the empty string by returning NULL and setting
|
427
|
+
// |*out_len| to zero.
|
428
|
+
//
|
429
|
+
// If |x509| was parsed from a PKCS#12 structure (see
|
430
|
+
// |PKCS12_get_key_and_certs|), the alias will reflect the friendlyName
|
431
|
+
// attribute (RFC 2985).
|
432
|
+
//
|
433
|
+
// WARNING: In OpenSSL, this function did not set |*out_len| when the alias was
|
434
|
+
// missing. Callers that target both OpenSSL and BoringSSL should set the value
|
435
|
+
// to zero before calling this function.
|
436
|
+
OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x509, int *out_len);
|
437
|
+
|
438
|
+
// X509_keyid_get0 looks up |x509|'s key ID. If found, it sets |*out_len| to the
|
439
|
+
// key ID's length and returns a pointer to a buffer containing the contents. If
|
440
|
+
// not found, it outputs the empty string by returning NULL and setting
|
441
|
+
// |*out_len| to zero.
|
442
|
+
//
|
443
|
+
// WARNING: In OpenSSL, this function did not set |*out_len| when the alias was
|
444
|
+
// missing. Callers that target both OpenSSL and BoringSSL should set the value
|
445
|
+
// to zero before calling this function.
|
446
|
+
OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x509, int *out_len);
|
447
|
+
|
448
|
+
|
449
|
+
// Certificate revocation lists.
|
450
|
+
//
|
451
|
+
// An |X509_CRL| object represents an X.509 certificate revocation list (CRL),
|
452
|
+
// defined in RFC 5280. A CRL is a signed list of certificates which are no
|
453
|
+
// longer considered valid.
|
454
|
+
//
|
455
|
+
// Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| can give
|
456
|
+
// incorrect results. Callers typically obtain |X509_CRL|s by parsing some input
|
457
|
+
// with |d2i_X509_CRL|, etc. Such objects carry information such as the
|
458
|
+
// serialized TBSCertList and decoded extensions, which will become inconsistent
|
459
|
+
// when mutated.
|
460
|
+
//
|
461
|
+
// Instead, mutation functions should only be used when issuing new CRLs, as
|
462
|
+
// described in a later section.
|
463
|
+
|
464
|
+
DEFINE_STACK_OF(X509_CRL)
|
465
|
+
|
466
|
+
// X509_CRL is an |ASN1_ITEM| whose ASN.1 type is X.509 CertificateList (RFC
|
467
|
+
// 5280) and C type is |X509_CRL*|.
|
468
|
+
DECLARE_ASN1_ITEM(X509_CRL)
|
469
|
+
|
470
|
+
// X509_CRL_up_ref adds one to the reference count of |crl| and returns one.
|
471
|
+
OPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl);
|
472
|
+
|
473
|
+
// X509_CRL_dup returns a newly-allocated copy of |crl|, or NULL on error. This
|
474
|
+
// function works by serializing the structure, so if |crl| is incomplete, it
|
475
|
+
// may fail.
|
476
|
+
//
|
477
|
+
// TODO(https://crbug.com/boringssl/407): This function should be const and
|
478
|
+
// thread-safe but is currently neither in some cases, notably if |crl| was
|
479
|
+
// mutated.
|
480
|
+
OPENSSL_EXPORT X509_CRL *X509_CRL_dup(X509_CRL *crl);
|
481
|
+
|
482
|
+
// X509_CRL_free decrements |crl|'s reference count and, if zero, releases
|
483
|
+
// memory associated with |crl|.
|
484
|
+
OPENSSL_EXPORT void X509_CRL_free(X509_CRL *crl);
|
485
|
+
|
486
|
+
// d2i_X509_CRL parses up to |len| bytes from |*inp| as a DER-encoded X.509
|
487
|
+
// CertificateList (RFC 5280), as described in |d2i_SAMPLE|.
|
488
|
+
OPENSSL_EXPORT X509_CRL *d2i_X509_CRL(X509_CRL **out, const uint8_t **inp,
|
489
|
+
long len);
|
490
|
+
|
491
|
+
// i2d_X509_CRL marshals |crl| as a X.509 CertificateList (RFC 5280), as
|
492
|
+
// described in |i2d_SAMPLE|.
|
493
|
+
//
|
494
|
+
// TODO(https://crbug.com/boringssl/407): This function should be const and
|
495
|
+
// thread-safe but is currently neither in some cases, notably if |crl| was
|
496
|
+
// mutated.
|
497
|
+
OPENSSL_EXPORT int i2d_X509_CRL(X509_CRL *crl, uint8_t **outp);
|
498
|
+
|
499
|
+
#define X509_CRL_VERSION_1 0
|
500
|
+
#define X509_CRL_VERSION_2 1
|
501
|
+
|
502
|
+
// X509_CRL_get_version returns the numerical value of |crl|'s version, which
|
503
|
+
// will be one of the |X509_CRL_VERSION_*| constants.
|
504
|
+
OPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl);
|
505
|
+
|
506
|
+
// X509_CRL_get0_lastUpdate returns |crl|'s thisUpdate time. The OpenSSL API
|
507
|
+
// refers to this field as lastUpdate.
|
508
|
+
OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
|
509
|
+
|
510
|
+
// X509_CRL_get0_nextUpdate returns |crl|'s nextUpdate time, or NULL if |crl|
|
511
|
+
// has none.
|
512
|
+
OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
|
513
|
+
|
514
|
+
// X509_CRL_get_issuer returns |crl|'s issuer name. Note this function is not
|
515
|
+
// const-correct for legacy reasons.
|
516
|
+
OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
|
517
|
+
|
518
|
+
// X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or
|
519
|
+
// NULL if |crl| omits it.
|
520
|
+
//
|
521
|
+
// TOOD(davidben): This function was originally a macro, without clear const
|
522
|
+
// semantics. It should take a const input and give const output, but the latter
|
523
|
+
// would break existing callers. For now, we match upstream.
|
524
|
+
OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
|
525
|
+
|
526
|
+
// X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl|
|
527
|
+
// omits it.
|
528
|
+
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(
|
529
|
+
const X509_CRL *crl);
|
530
|
+
|
531
|
+
// X509_CRL_get_ext_count returns the number of extensions in |x|.
|
532
|
+
OPENSSL_EXPORT int X509_CRL_get_ext_count(const X509_CRL *x);
|
533
|
+
|
534
|
+
// X509_CRL_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for
|
535
|
+
// extensions in |x|.
|
536
|
+
OPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid,
|
537
|
+
int lastpos);
|
538
|
+
|
539
|
+
// X509_CRL_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for
|
540
|
+
// extensions in |x|.
|
541
|
+
OPENSSL_EXPORT int X509_CRL_get_ext_by_OBJ(const X509_CRL *x,
|
542
|
+
const ASN1_OBJECT *obj, int lastpos);
|
543
|
+
|
544
|
+
// X509_CRL_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but
|
545
|
+
// searches for extensions in |x|.
|
546
|
+
OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit,
|
547
|
+
int lastpos);
|
548
|
+
|
549
|
+
// X509_CRL_get_ext returns the extension in |x| at index |loc|, or NULL if
|
550
|
+
// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL
|
551
|
+
// compatibility, but callers should not mutate the result.
|
552
|
+
OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
|
553
|
+
|
554
|
+
// X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and
|
555
|
+
// signature algorithm of |crl|, respectively. Either output pointer may be NULL
|
556
|
+
// to ignore the value.
|
557
|
+
//
|
558
|
+
// This function outputs the outer signature algorithm, not the one in the
|
559
|
+
// TBSCertList. CRLs with mismatched signature algorithms will successfully
|
560
|
+
// parse, but they will be rejected when verifying.
|
561
|
+
OPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl,
|
562
|
+
const ASN1_BIT_STRING **out_sig,
|
563
|
+
const X509_ALGOR **out_alg);
|
564
|
+
|
565
|
+
// X509_CRL_get_signature_nid returns the NID corresponding to |crl|'s signature
|
566
|
+
// algorithm, or |NID_undef| if the signature algorithm does not correspond to
|
567
|
+
// a known NID.
|
568
|
+
OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl);
|
569
|
+
|
570
|
+
// i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described in
|
571
|
+
// |i2d_SAMPLE|.
|
572
|
+
//
|
573
|
+
// This function preserves the original encoding of the TBSCertList and may not
|
574
|
+
// reflect modifications made to |crl|. It may be used to manually verify the
|
575
|
+
// signature of an existing CRL. To generate CRLs, use |i2d_re_X509_CRL_tbs|
|
576
|
+
// instead.
|
577
|
+
OPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
|
578
|
+
|
579
|
+
|
580
|
+
// Issuing certificate revocation lists.
|
581
|
+
//
|
582
|
+
// An |X509_CRL| object may also represent an incomplete CRL. Callers may
|
583
|
+
// construct empty |X509_CRL| objects, fill in fields individually, and finally
|
584
|
+
// sign the result. The following functions may be used for this purpose.
|
585
|
+
|
586
|
+
// X509_CRL_new returns a newly-allocated, empty |X509_CRL| object, or NULL on
|
587
|
+
// error. This object may be filled in and then signed to construct a CRL.
|
588
|
+
OPENSSL_EXPORT X509_CRL *X509_CRL_new(void);
|
589
|
+
|
590
|
+
// X509_CRL_set_version sets |crl|'s version to |version|, which should be one
|
591
|
+
// of the |X509_CRL_VERSION_*| constants. It returns one on success and zero on
|
592
|
+
// error.
|
593
|
+
//
|
594
|
+
// If unsure, use |X509_CRL_VERSION_2|. Note that, unlike certificates, CRL
|
595
|
+
// versions are only defined up to v2. Callers should not use |X509_VERSION_3|.
|
596
|
+
OPENSSL_EXPORT int X509_CRL_set_version(X509_CRL *crl, long version);
|
597
|
+
|
598
|
+
// X509_CRL_set_issuer_name sets |crl|'s issuer to a copy of |name|. It returns
|
599
|
+
// one on success and zero on error.
|
600
|
+
OPENSSL_EXPORT int X509_CRL_set_issuer_name(X509_CRL *crl, X509_NAME *name);
|
601
|
+
|
602
|
+
// X509_CRL_set1_lastUpdate sets |crl|'s thisUpdate time to |tm|. It returns one
|
603
|
+
// on success and zero on error. The OpenSSL API refers to this field as
|
604
|
+
// lastUpdate.
|
605
|
+
OPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm);
|
606
|
+
|
607
|
+
// X509_CRL_set1_nextUpdate sets |crl|'s nextUpdate time to |tm|. It returns one
|
608
|
+
// on success and zero on error.
|
609
|
+
OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm);
|
610
|
+
|
611
|
+
// X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns
|
612
|
+
// the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the
|
613
|
+
// caller must release the result with |X509_EXTENSION_free|.
|
614
|
+
OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
|
615
|
+
|
616
|
+
// X509_CRL_add_ext adds a copy of |ex| to |x|. It returns one on success and
|
617
|
+
// zero on failure. The caller retains ownership of |ex| and can release it
|
618
|
+
// independently of |x|.
|
619
|
+
//
|
620
|
+
// The new extension is inserted at index |loc|, shifting extensions to the
|
621
|
+
// right. If |loc| is -1 or out of bounds, the new extension is appended to the
|
622
|
+
// list.
|
623
|
+
OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex,
|
624
|
+
int loc);
|
625
|
+
|
626
|
+
// X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm
|
627
|
+
// and signature fields. It returns one on success and zero on error. This
|
628
|
+
// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
|
629
|
+
// signing parameters use |pkey|'s defaults. To customize them, use
|
630
|
+
// |X509_CRL_sign_ctx|.
|
631
|
+
OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey,
|
632
|
+
const EVP_MD *md);
|
633
|
+
|
634
|
+
// X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm
|
635
|
+
// and signature fields. It returns one on success and zero on error. The
|
636
|
+
// signature algorithm and parameters come from |ctx|, which must have been
|
637
|
+
// initialized with |EVP_DigestSignInit|. The caller should configure the
|
638
|
+
// corresponding |EVP_PKEY_CTX| before calling this function.
|
639
|
+
OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx);
|
640
|
+
|
641
|
+
// i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described
|
642
|
+
// in |i2d_SAMPLE|.
|
643
|
+
//
|
644
|
+
// This function re-encodes the TBSCertList and may not reflect |crl|'s original
|
645
|
+
// encoding. It may be used to manually generate a signature for a new CRL. To
|
646
|
+
// verify CRLs, use |i2d_X509_CRL_tbs| instead.
|
647
|
+
OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
|
648
|
+
|
649
|
+
// X509_CRL_set1_signature_algo sets |crl|'s signature algorithm to |algo| and
|
650
|
+
// returns one on success or zero on error. It updates both the signature field
|
651
|
+
// of the TBSCertList structure, and the signatureAlgorithm field of the CRL.
|
652
|
+
OPENSSL_EXPORT int X509_CRL_set1_signature_algo(X509_CRL *crl,
|
653
|
+
const X509_ALGOR *algo);
|
654
|
+
|
655
|
+
// X509_CRL_set1_signature_value sets |crl|'s signature to a copy of the
|
656
|
+
// |sig_len| bytes pointed by |sig|. It returns one on success and zero on
|
657
|
+
// error.
|
658
|
+
//
|
659
|
+
// Due to a specification error, X.509 CRLs store signatures in ASN.1 BIT
|
660
|
+
// STRINGs, but signature algorithms return byte strings rather than bit
|
661
|
+
// strings. This function creates a BIT STRING containing a whole number of
|
662
|
+
// bytes, with the bit order matching the DER encoding. This matches the
|
663
|
+
// encoding used by all X.509 signature algorithms.
|
664
|
+
OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl,
|
665
|
+
const uint8_t *sig,
|
666
|
+
size_t sig_len);
|
667
|
+
|
668
|
+
|
669
|
+
// Certificate requests.
|
670
|
+
//
|
671
|
+
// An |X509_REQ| represents a PKCS #10 certificate request (RFC 2986). These are
|
672
|
+
// also referred to as certificate signing requests or CSRs. CSRs are a common
|
673
|
+
// format used to request a certificate from a CA.
|
674
|
+
//
|
675
|
+
// Although an |X509_REQ| is a mutable object, mutating an |X509_REQ| can give
|
676
|
+
// incorrect results. Callers typically obtain |X509_REQ|s by parsing some input
|
677
|
+
// with |d2i_X509_REQ|, etc. Such objects carry information such as the
|
678
|
+
// serialized CertificationRequestInfo, which will become inconsistent when
|
679
|
+
// mutated.
|
680
|
+
//
|
681
|
+
// Instead, mutation functions should only be used when issuing new CRLs, as
|
682
|
+
// described in a later section.
|
683
|
+
|
684
|
+
// X509_REQ is an |ASN1_ITEM| whose ASN.1 type is CertificateRequest (RFC 2986)
|
685
|
+
// and C type is |X509_REQ*|.
|
686
|
+
DECLARE_ASN1_ITEM(X509_REQ)
|
687
|
+
|
688
|
+
// X509_REQ_dup returns a newly-allocated copy of |req|, or NULL on error. This
|
689
|
+
// function works by serializing the structure, so if |req| is incomplete, it
|
690
|
+
// may fail.
|
691
|
+
//
|
692
|
+
// TODO(https://crbug.com/boringssl/407): This function should be const and
|
693
|
+
// thread-safe but is currently neither in some cases, notably if |req| was
|
694
|
+
// mutated.
|
695
|
+
OPENSSL_EXPORT X509_REQ *X509_REQ_dup(X509_REQ *req);
|
696
|
+
|
697
|
+
// X509_REQ_free releases memory associated with |req|.
|
698
|
+
OPENSSL_EXPORT void X509_REQ_free(X509_REQ *req);
|
699
|
+
|
700
|
+
// d2i_X509_REQ parses up to |len| bytes from |*inp| as a DER-encoded
|
701
|
+
// CertificateRequest (RFC 2986), as described in |d2i_SAMPLE|.
|
702
|
+
OPENSSL_EXPORT X509_REQ *d2i_X509_REQ(X509_REQ **out, const uint8_t **inp,
|
703
|
+
long len);
|
704
|
+
|
705
|
+
// i2d_X509_REQ marshals |req| as a CertificateRequest (RFC 2986), as described
|
706
|
+
// in |i2d_SAMPLE|.
|
707
|
+
//
|
708
|
+
// TODO(https://crbug.com/boringssl/407): This function should be const and
|
709
|
+
// thread-safe but is currently neither in some cases, notably if |req| was
|
710
|
+
// mutated.
|
711
|
+
OPENSSL_EXPORT int i2d_X509_REQ(X509_REQ *req, uint8_t **outp);
|
712
|
+
|
713
|
+
|
714
|
+
// X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. No other
|
715
|
+
// versions are defined.
|
716
|
+
#define X509_REQ_VERSION_1 0
|
717
|
+
|
718
|
+
// X509_REQ_get_version returns the numerical value of |req|'s version. This
|
719
|
+
// will always be |X509_REQ_VERSION_1| for valid CSRs. For compatibility,
|
720
|
+
// |d2i_X509_REQ| also accepts some invalid version numbers, in which case this
|
721
|
+
// function may return other values.
|
722
|
+
OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req);
|
723
|
+
|
724
|
+
// X509_REQ_get_subject_name returns |req|'s subject name. Note this function is
|
725
|
+
// not const-correct for legacy reasons.
|
726
|
+
OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
|
727
|
+
|
728
|
+
// X509_REQ_get_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if
|
729
|
+
// the public key was unsupported or could not be decoded. This function returns
|
730
|
+
// a reference to the |EVP_PKEY|. The caller must release the result with
|
731
|
+
// |EVP_PKEY_free| when done.
|
732
|
+
OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
|
733
|
+
|
734
|
+
// X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and
|
735
|
+
// signature algorithm of |req|, respectively. Either output pointer may be NULL
|
736
|
+
// to ignore the value.
|
737
|
+
OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req,
|
738
|
+
const ASN1_BIT_STRING **out_sig,
|
739
|
+
const X509_ALGOR **out_alg);
|
740
|
+
|
741
|
+
// X509_REQ_get_signature_nid returns the NID corresponding to |req|'s signature
|
742
|
+
// algorithm, or |NID_undef| if the signature algorithm does not correspond to
|
743
|
+
// a known NID.
|
744
|
+
OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req);
|
745
|
+
|
746
|
+
|
747
|
+
// Issuing certificate requests.
|
748
|
+
//
|
749
|
+
// An |X509_REQ| object may also represent an incomplete CSR. Callers may
|
750
|
+
// construct empty |X509_REQ| objects, fill in fields individually, and finally
|
751
|
+
// sign the result. The following functions may be used for this purpose.
|
752
|
+
|
753
|
+
// X509_REQ_new returns a newly-allocated, empty |X509_REQ| object, or NULL on
|
754
|
+
// error. This object may be filled in and then signed to construct a CSR.
|
755
|
+
OPENSSL_EXPORT X509_REQ *X509_REQ_new(void);
|
756
|
+
|
757
|
+
// X509_REQ_set_version sets |req|'s version to |version|, which should be
|
758
|
+
// |X509_REQ_VERSION_1|. It returns one on success and zero on error.
|
759
|
+
//
|
760
|
+
// The only defined CSR version is |X509_REQ_VERSION_1|, so there is no need to
|
761
|
+
// call this function.
|
762
|
+
OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version);
|
763
|
+
|
764
|
+
// X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It
|
765
|
+
// returns one on success and zero on error.
|
766
|
+
OPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
|
767
|
+
|
768
|
+
// X509_REQ_set_pubkey sets |req|'s public key to |pkey|. It returns one on
|
769
|
+
// success and zero on error. This function does not take ownership of |pkey|
|
770
|
+
// and internally copies and updates reference counts as needed.
|
771
|
+
OPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey);
|
772
|
+
|
773
|
+
// X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm
|
774
|
+
// and signature fields. It returns one on success and zero on error. This
|
775
|
+
// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
|
776
|
+
// signing parameters use |pkey|'s defaults. To customize them, use
|
777
|
+
// |X509_REQ_sign_ctx|.
|
778
|
+
OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey,
|
779
|
+
const EVP_MD *md);
|
780
|
+
|
781
|
+
// X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm
|
782
|
+
// and signature fields. It returns one on success and zero on error. The
|
783
|
+
// signature algorithm and parameters come from |ctx|, which must have been
|
784
|
+
// initialized with |EVP_DigestSignInit|. The caller should configure the
|
785
|
+
// corresponding |EVP_PKEY_CTX| before calling this function.
|
786
|
+
OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx);
|
787
|
+
|
788
|
+
// i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986)
|
789
|
+
// portion of |req|, as described in |i2d_SAMPLE|.
|
790
|
+
//
|
791
|
+
// This function re-encodes the CertificationRequestInfo and may not reflect
|
792
|
+
// |req|'s original encoding. It may be used to manually generate a signature
|
793
|
+
// for a new certificate request.
|
794
|
+
OPENSSL_EXPORT int i2d_re_X509_REQ_tbs(X509_REQ *req, uint8_t **outp);
|
795
|
+
|
796
|
+
// X509_REQ_set1_signature_algo sets |req|'s signature algorithm to |algo| and
|
797
|
+
// returns one on success or zero on error.
|
798
|
+
OPENSSL_EXPORT int X509_REQ_set1_signature_algo(X509_REQ *req,
|
799
|
+
const X509_ALGOR *algo);
|
800
|
+
|
801
|
+
// X509_REQ_set1_signature_value sets |req|'s signature to a copy of the
|
802
|
+
// |sig_len| bytes pointed by |sig|. It returns one on success and zero on
|
803
|
+
// error.
|
804
|
+
//
|
805
|
+
// Due to a specification error, PKCS#10 certificate requests store signatures
|
806
|
+
// in ASN.1 BIT STRINGs, but signature algorithms return byte strings rather
|
807
|
+
// than bit strings. This function creates a BIT STRING containing a whole
|
808
|
+
// number of bytes, with the bit order matching the DER encoding. This matches
|
809
|
+
// the encoding used by all X.509 signature algorithms.
|
810
|
+
OPENSSL_EXPORT int X509_REQ_set1_signature_value(X509_REQ *req,
|
811
|
+
const uint8_t *sig,
|
812
|
+
size_t sig_len);
|
813
|
+
|
814
|
+
|
815
|
+
// Names.
|
816
|
+
//
|
817
|
+
// An |X509_NAME| represents an X.509 Name structure (RFC 5280). X.509 names are
|
818
|
+
// a complex, hierarchical structure over a collection of attributes. Each name
|
819
|
+
// is sequence of relative distinguished names (RDNs), decreasing in
|
820
|
+
// specificity. For example, the first RDN may specify the country, while the
|
821
|
+
// next RDN may specify a locality. Each RDN is, itself, a set of attributes.
|
822
|
+
// Having more than one attribute in an RDN is uncommon, but possible. Within an
|
823
|
+
// RDN, attributes have the same level in specificity. Attribute types are
|
824
|
+
// OBJECT IDENTIFIERs. This determines the ASN.1 type of the value, which is
|
825
|
+
// commonly a string but may be other types.
|
826
|
+
//
|
827
|
+
// The |X509_NAME| representation flattens this two-level structure into a
|
828
|
+
// single list of attributes. Each attribute is stored in an |X509_NAME_ENTRY|,
|
829
|
+
// with also maintains the index of the RDN it is part of, accessible via
|
830
|
+
// |X509_NAME_ENTRY_set|. This can be used to recover the two-level structure.
|
831
|
+
//
|
832
|
+
// X.509 names are largely vestigial. Historically, DNS names were parsed out of
|
833
|
+
// the subject's common name attribute, but this is deprecated and has since
|
834
|
+
// moved to the subject alternative name extension. In modern usage, X.509 names
|
835
|
+
// are primarily opaque identifiers to link a certificate with its issuer.
|
836
|
+
|
837
|
+
DEFINE_STACK_OF(X509_NAME_ENTRY)
|
838
|
+
DEFINE_STACK_OF(X509_NAME)
|
839
|
+
|
840
|
+
// X509_NAME is an |ASN1_ITEM| whose ASN.1 type is X.509 Name (RFC 5280) and C
|
841
|
+
// type is |X509_NAME*|.
|
842
|
+
DECLARE_ASN1_ITEM(X509_NAME)
|
843
|
+
|
844
|
+
// X509_NAME_new returns a new, empty |X509_NAME_new|, or NULL on
|
845
|
+
// error.
|
846
|
+
OPENSSL_EXPORT X509_NAME *X509_NAME_new(void);
|
847
|
+
|
848
|
+
// X509_NAME_free releases memory associated with |name|.
|
849
|
+
OPENSSL_EXPORT void X509_NAME_free(X509_NAME *name);
|
850
|
+
|
851
|
+
// d2i_X509_NAME parses up to |len| bytes from |*inp| as a DER-encoded X.509
|
852
|
+
// Name (RFC 5280), as described in |d2i_SAMPLE|.
|
853
|
+
OPENSSL_EXPORT X509_NAME *d2i_X509_NAME(X509_NAME **out, const uint8_t **inp,
|
854
|
+
long len);
|
855
|
+
|
856
|
+
// i2d_X509_NAME marshals |in| as a DER-encoded X.509 Name (RFC 5280), as
|
857
|
+
// described in |i2d_SAMPLE|.
|
858
|
+
//
|
859
|
+
// TODO(https://crbug.com/boringssl/407): This function should be const and
|
860
|
+
// thread-safe but is currently neither in some cases, notably if |in| was
|
861
|
+
// mutated.
|
862
|
+
OPENSSL_EXPORT int i2d_X509_NAME(X509_NAME *in, uint8_t **outp);
|
863
|
+
|
864
|
+
// X509_NAME_dup returns a newly-allocated copy of |name|, or NULL on error.
|
865
|
+
//
|
866
|
+
// TODO(https://crbug.com/boringssl/407): This function should be const and
|
867
|
+
// thread-safe but is currently neither in some cases, notably if |name| was
|
868
|
+
// mutated.
|
869
|
+
OPENSSL_EXPORT X509_NAME *X509_NAME_dup(X509_NAME *name);
|
870
|
+
|
871
|
+
// X509_NAME_get0_der sets |*out_der| and |*out_der_len|
|
872
|
+
//
|
873
|
+
// Avoid this function and prefer |i2d_X509_NAME|. It is one of the reasons
|
874
|
+
// these functions are not consistently thread-safe or const-correct. Depending
|
875
|
+
// on the resolution of https://crbug.com/boringssl/407, this function may be
|
876
|
+
// removed or cause poor performance.
|
877
|
+
OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *name, const uint8_t **out_der,
|
878
|
+
size_t *out_der_len);
|
879
|
+
|
880
|
+
// X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn|
|
881
|
+
// to the copy, and returns one. Otherwise, it returns zero.
|
882
|
+
//
|
883
|
+
// TODO(https://crbug.com/boringssl/407): This function should be const and
|
884
|
+
// thread-safe but is currently neither in some cases, notably if |name| was
|
885
|
+
// mutated.
|
886
|
+
OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name);
|
887
|
+
|
888
|
+
// X509_NAME_entry_count returns the number of entries in |name|.
|
889
|
+
OPENSSL_EXPORT int X509_NAME_entry_count(const X509_NAME *name);
|
890
|
+
|
891
|
+
// X509_NAME_get_index_by_NID returns the zero-based index of the first
|
892
|
+
// attribute in |name| with type |nid|, or -1 if there is none. |nid| should be
|
893
|
+
// one of the |NID_*| constants. If |lastpos| is non-negative, it begins
|
894
|
+
// searching at |lastpos+1|. To search all attributes, pass in -1, not zero.
|
895
|
+
//
|
896
|
+
// Indices from this function refer to |X509_NAME|'s flattened representation.
|
897
|
+
OPENSSL_EXPORT int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid,
|
898
|
+
int lastpos);
|
899
|
+
|
900
|
+
// X509_NAME_get_index_by_OBJ behaves like |X509_NAME_get_index_by_NID| but
|
901
|
+
// looks for attributes with type |obj|.
|
902
|
+
OPENSSL_EXPORT int X509_NAME_get_index_by_OBJ(const X509_NAME *name,
|
903
|
+
const ASN1_OBJECT *obj,
|
904
|
+
int lastpos);
|
905
|
+
|
906
|
+
// X509_NAME_get_entry returns the attribute in |name| at index |loc|, or NULL
|
907
|
+
// if |loc| is out of range. |loc| is interpreted using |X509_NAME|'s flattened
|
908
|
+
// representation. This function returns a non-const pointer for OpenSSL
|
909
|
+
// compatibility, but callers should not mutate the result. Doing so will break
|
910
|
+
// internal invariants in the library.
|
911
|
+
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name,
|
912
|
+
int loc);
|
913
|
+
|
914
|
+
// X509_NAME_delete_entry removes and returns the attribute in |name| at index
|
915
|
+
// |loc|, or NULL if |loc| is out of range. |loc| is interpreted using
|
916
|
+
// |X509_NAME|'s flattened representation. If the attribute is found, the caller
|
917
|
+
// is responsible for releasing the result with |X509_NAME_ENTRY_free|.
|
918
|
+
//
|
919
|
+
// This function will internally update RDN indices (see |X509_NAME_ENTRY_set|)
|
920
|
+
// so they continue to be consecutive.
|
921
|
+
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name,
|
922
|
+
int loc);
|
923
|
+
|
924
|
+
// X509_NAME_add_entry adds a copy of |entry| to |name| and returns one on
|
925
|
+
// success or zero on error. If |loc| is -1, the entry is appended to |name|.
|
926
|
+
// Otherwise, it is inserted at index |loc|. If |set| is -1, the entry is added
|
927
|
+
// to the previous entry's RDN. If it is 0, the entry becomes a singleton RDN.
|
928
|
+
// If 1, it is added to next entry's RDN.
|
929
|
+
//
|
930
|
+
// This function will internally update RDN indices (see |X509_NAME_ENTRY_set|)
|
931
|
+
// so they continue to be consecutive.
|
932
|
+
OPENSSL_EXPORT int X509_NAME_add_entry(X509_NAME *name,
|
933
|
+
const X509_NAME_ENTRY *entry, int loc,
|
934
|
+
int set);
|
935
|
+
|
936
|
+
// X509_NAME_add_entry_by_OBJ adds a new entry to |name| and returns one on
|
937
|
+
// success or zero on error. The entry's attribute type is |obj|. The entry's
|
938
|
+
// attribute value is determined by |type|, |bytes|, and |len|, as in
|
939
|
+
// |X509_NAME_ENTRY_set_data|. The entry's position is determined by |loc| and
|
940
|
+
// |set| as in |X509_NAME_add_entry|.
|
941
|
+
OPENSSL_EXPORT int X509_NAME_add_entry_by_OBJ(X509_NAME *name,
|
942
|
+
const ASN1_OBJECT *obj, int type,
|
943
|
+
const uint8_t *bytes, int len,
|
944
|
+
int loc, int set);
|
945
|
+
|
946
|
+
// X509_NAME_add_entry_by_NID behaves like |X509_NAME_add_entry_by_OBJ| but sets
|
947
|
+
// the entry's attribute type to |nid|, which should be one of the |NID_*|
|
948
|
+
// constants.
|
949
|
+
OPENSSL_EXPORT int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid,
|
950
|
+
int type, const uint8_t *bytes,
|
951
|
+
int len, int loc, int set);
|
952
|
+
|
953
|
+
// X509_NAME_add_entry_by_txt behaves like |X509_NAME_add_entry_by_OBJ| but sets
|
954
|
+
// the entry's attribute type to |field|, which is passed to |OBJ_txt2obj|.
|
955
|
+
OPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name,
|
956
|
+
const char *field, int type,
|
957
|
+
const uint8_t *bytes, int len,
|
958
|
+
int loc, int set);
|
959
|
+
|
960
|
+
// X509_NAME_ENTRY is an |ASN1_ITEM| whose ASN.1 type is AttributeTypeAndValue
|
961
|
+
// (RFC 5280) and C type is |X509_NAME_ENTRY*|.
|
962
|
+
DECLARE_ASN1_ITEM(X509_NAME_ENTRY)
|
963
|
+
|
964
|
+
// X509_NAME_ENTRY_new returns a new, empty |X509_NAME_ENTRY_new|, or NULL on
|
965
|
+
// error.
|
966
|
+
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_new(void);
|
967
|
+
|
968
|
+
// X509_NAME_ENTRY_free releases memory associated with |entry|.
|
969
|
+
OPENSSL_EXPORT void X509_NAME_ENTRY_free(X509_NAME_ENTRY *entry);
|
970
|
+
|
971
|
+
// d2i_X509_NAME_ENTRY parses up to |len| bytes from |*inp| as a DER-encoded
|
972
|
+
// AttributeTypeAndValue (RFC 5280), as described in |d2i_SAMPLE|.
|
973
|
+
OPENSSL_EXPORT X509_NAME_ENTRY *d2i_X509_NAME_ENTRY(X509_NAME_ENTRY **out,
|
974
|
+
const uint8_t **inp,
|
975
|
+
long len);
|
976
|
+
|
977
|
+
// i2d_X509_NAME_ENTRY marshals |in| as a DER-encoded AttributeTypeAndValue (RFC
|
978
|
+
// 5280), as described in |i2d_SAMPLE|.
|
979
|
+
OPENSSL_EXPORT int i2d_X509_NAME_ENTRY(const X509_NAME_ENTRY *in,
|
980
|
+
uint8_t **outp);
|
981
|
+
|
982
|
+
// X509_NAME_ENTRY_dup returns a newly-allocated copy of |entry|, or NULL on
|
983
|
+
// error.
|
984
|
+
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup(
|
985
|
+
const X509_NAME_ENTRY *entry);
|
986
|
+
|
987
|
+
// X509_NAME_ENTRY_get_object returns |entry|'s attribute type. This function
|
988
|
+
// returns a non-const pointer for OpenSSL compatibility, but callers should not
|
989
|
+
// mutate the result. Doing so will break internal invariants in the library.
|
990
|
+
OPENSSL_EXPORT ASN1_OBJECT *X509_NAME_ENTRY_get_object(
|
991
|
+
const X509_NAME_ENTRY *entry);
|
992
|
+
|
993
|
+
// X509_NAME_ENTRY_set_object sets |entry|'s attribute type to |obj|. It returns
|
994
|
+
// one on success and zero on error.
|
995
|
+
OPENSSL_EXPORT int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *entry,
|
996
|
+
const ASN1_OBJECT *obj);
|
997
|
+
|
998
|
+
// X509_NAME_ENTRY_get_data returns |entry|'s attribute value, represented as an
|
999
|
+
// |ASN1_STRING|. This value may have any ASN.1 type, so callers must check the
|
1000
|
+
// type before interpreting the contents. This function returns a non-const
|
1001
|
+
// pointer for OpenSSL compatibility, but callers should not mutate the result.
|
1002
|
+
// Doing so will break internal invariants in the library.
|
1003
|
+
//
|
1004
|
+
// TODO(https://crbug.com/boringssl/412): Although the spec says any ASN.1 type
|
1005
|
+
// is allowed, we currently only allow an ad-hoc set of types. Additionally, it
|
1006
|
+
// is unclear if some types can even be represented by this function.
|
1007
|
+
OPENSSL_EXPORT ASN1_STRING *X509_NAME_ENTRY_get_data(
|
1008
|
+
const X509_NAME_ENTRY *entry);
|
1009
|
+
|
1010
|
+
// X509_NAME_ENTRY_set_data sets |entry|'s value to |len| bytes from |bytes|. It
|
1011
|
+
// returns one on success and zero on error. If |len| is -1, |bytes| must be a
|
1012
|
+
// NUL-terminated C string and the length is determined by |strlen|. |bytes| is
|
1013
|
+
// converted to an ASN.1 type as follows:
|
1014
|
+
//
|
1015
|
+
// If |type| is a |MBSTRING_*| constant, the value is an ASN.1 string. The
|
1016
|
+
// string is determined by decoding |bytes| in the encoding specified by |type|,
|
1017
|
+
// and then re-encoding it in a form appropriate for |entry|'s attribute type.
|
1018
|
+
// See |ASN1_STRING_set_by_NID| for details.
|
1019
|
+
//
|
1020
|
+
// Otherwise, the value is an |ASN1_STRING| with type |type| and value |bytes|.
|
1021
|
+
// See |ASN1_STRING| for how to format ASN.1 types as an |ASN1_STRING|. If
|
1022
|
+
// |type| is |V_ASN1_UNDEF| the previous |ASN1_STRING| type is reused.
|
1023
|
+
OPENSSL_EXPORT int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *entry, int type,
|
1024
|
+
const uint8_t *bytes, int len);
|
1025
|
+
|
1026
|
+
// X509_NAME_ENTRY_set returns the zero-based index of the RDN which contains
|
1027
|
+
// |entry|. Consecutive entries with the same index are part of the same RDN.
|
1028
|
+
OPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *entry);
|
1029
|
+
|
1030
|
+
// X509_NAME_ENTRY_create_by_OBJ creates a new |X509_NAME_ENTRY| with attribute
|
1031
|
+
// type |obj|. The attribute value is determined from |type|, |bytes|, and |len|
|
1032
|
+
// as in |X509_NAME_ENTRY_set_data|. It returns the |X509_NAME_ENTRY| on success
|
1033
|
+
// and NULL on error.
|
1034
|
+
//
|
1035
|
+
// If |out| is non-NULL and |*out| is NULL, it additionally sets |*out| to the
|
1036
|
+
// result on success. If both |out| and |*out| are non-NULL, it updates the
|
1037
|
+
// object at |*out| instead of allocating a new one.
|
1038
|
+
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(
|
1039
|
+
X509_NAME_ENTRY **out, const ASN1_OBJECT *obj, int type,
|
1040
|
+
const uint8_t *bytes, int len);
|
1041
|
+
|
1042
|
+
// X509_NAME_ENTRY_create_by_NID behaves like |X509_NAME_ENTRY_create_by_OBJ|
|
1043
|
+
// except the attribute type is |nid|, which should be one of the |NID_*|
|
1044
|
+
// constants.
|
1045
|
+
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(
|
1046
|
+
X509_NAME_ENTRY **out, int nid, int type, const uint8_t *bytes, int len);
|
1047
|
+
|
1048
|
+
// X509_NAME_ENTRY_create_by_txt behaves like |X509_NAME_ENTRY_create_by_OBJ|
|
1049
|
+
// except the attribute type is |field|, which is passed to |OBJ_txt2obj|.
|
1050
|
+
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(
|
1051
|
+
X509_NAME_ENTRY **out, const char *field, int type, const uint8_t *bytes,
|
1052
|
+
int len);
|
1053
|
+
|
1054
|
+
|
1055
|
+
// Extensions.
|
1056
|
+
//
|
1057
|
+
// X.509 certificates and CRLs may contain a list of extensions (RFC 5280).
|
1058
|
+
// Extensions have a type, specified by an object identifier (|ASN1_OBJECT|) and
|
1059
|
+
// a byte string value, which should a DER-encoded structure whose type is
|
1060
|
+
// determined by the extension type. This library represents extensions with the
|
1061
|
+
// |X509_EXTENSION| type.
|
1062
|
+
|
1063
|
+
// X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC
|
1064
|
+
// 5280) and C type is |X509_EXTENSION*|.
|
1065
|
+
DECLARE_ASN1_ITEM(X509_EXTENSION)
|
1066
|
+
|
1067
|
+
// X509_EXTENSION_new returns a newly-allocated, empty |X509_EXTENSION| object
|
1068
|
+
// or NULL on error.
|
1069
|
+
OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_new(void);
|
1070
|
+
|
1071
|
+
// X509_EXTENSION_free releases memory associated with |ex|.
|
1072
|
+
OPENSSL_EXPORT void X509_EXTENSION_free(X509_EXTENSION *ex);
|
1073
|
+
|
1074
|
+
// d2i_X509_EXTENSION parses up to |len| bytes from |*inp| as a DER-encoded
|
1075
|
+
// X.509 Extension (RFC 5280), as described in |d2i_SAMPLE|.
|
1076
|
+
OPENSSL_EXPORT X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **out,
|
1077
|
+
const uint8_t **inp,
|
1078
|
+
long len);
|
1079
|
+
|
1080
|
+
// i2d_X509_EXTENSION marshals |ex| as a DER-encoded X.509 Extension (RFC
|
1081
|
+
// 5280), as described in |i2d_SAMPLE|.
|
1082
|
+
OPENSSL_EXPORT int i2d_X509_EXTENSION(const X509_EXTENSION *ex, uint8_t **outp);
|
1083
|
+
|
1084
|
+
// X509_EXTENSION_dup returns a newly-allocated copy of |ex|, or NULL on error.
|
1085
|
+
// This function works by serializing the structure, so if |ex| is incomplete,
|
1086
|
+
// it may fail.
|
1087
|
+
OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(const X509_EXTENSION *ex);
|
1088
|
+
|
1089
|
+
// X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|,
|
1090
|
+
// value |data|, and critical bit |crit|. It returns an |X509_EXTENSION| on
|
1091
|
+
// success, and NULL on error. |nid| should be a |NID_*| constant.
|
1092
|
+
//
|
1093
|
+
// If |ex| and |*ex| are both non-NULL, |*ex| is used to hold the result,
|
1094
|
+
// otherwise a new object is allocated. If |ex| is non-NULL and |*ex| is NULL,
|
1095
|
+
// the function sets |*ex| to point to the newly allocated result, in addition
|
1096
|
+
// to returning the result.
|
1097
|
+
OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_NID(
|
1098
|
+
X509_EXTENSION **ex, int nid, int crit, const ASN1_OCTET_STRING *data);
|
1099
|
+
|
1100
|
+
// X509_EXTENSION_create_by_OBJ behaves like |X509_EXTENSION_create_by_NID|, but
|
1101
|
+
// the extension type is determined by an |ASN1_OBJECT|.
|
1102
|
+
OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_OBJ(
|
1103
|
+
X509_EXTENSION **ex, const ASN1_OBJECT *obj, int crit,
|
1104
|
+
const ASN1_OCTET_STRING *data);
|
1105
|
+
|
1106
|
+
// X509_EXTENSION_get_object returns |ex|'s extension type. This function
|
1107
|
+
// returns a non-const pointer for OpenSSL compatibility, but callers should not
|
1108
|
+
// mutate the result.
|
1109
|
+
OPENSSL_EXPORT ASN1_OBJECT *X509_EXTENSION_get_object(const X509_EXTENSION *ex);
|
1110
|
+
|
1111
|
+
// X509_EXTENSION_get_data returns |ne|'s extension value. This function returns
|
1112
|
+
// a non-const pointer for OpenSSL compatibility, but callers should not mutate
|
1113
|
+
// the result.
|
1114
|
+
OPENSSL_EXPORT ASN1_OCTET_STRING *X509_EXTENSION_get_data(
|
1115
|
+
const X509_EXTENSION *ne);
|
1116
|
+
|
1117
|
+
// X509_EXTENSION_get_critical returns one if |ex| is critical and zero
|
1118
|
+
// otherwise.
|
1119
|
+
OPENSSL_EXPORT int X509_EXTENSION_get_critical(const X509_EXTENSION *ex);
|
1120
|
+
|
1121
|
+
// X509_EXTENSION_set_object sets |ex|'s extension type to |obj|. It returns one
|
1122
|
+
// on success and zero on error.
|
1123
|
+
OPENSSL_EXPORT int X509_EXTENSION_set_object(X509_EXTENSION *ex,
|
1124
|
+
const ASN1_OBJECT *obj);
|
1125
|
+
|
1126
|
+
// X509_EXTENSION_set_critical sets |ex| to critical if |crit| is non-zero and
|
1127
|
+
// to non-critical if |crit| is zero.
|
1128
|
+
OPENSSL_EXPORT int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
|
1129
|
+
|
1130
|
+
// X509_EXTENSION_set_data set's |ex|'s extension value to a copy of |data|. It
|
1131
|
+
// returns one on success and zero on error.
|
1132
|
+
OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex,
|
1133
|
+
const ASN1_OCTET_STRING *data);
|
1134
|
+
|
1135
|
+
|
1136
|
+
// Extension lists.
|
1137
|
+
//
|
1138
|
+
// The following functions manipulate lists of extensions. Most of them have
|
1139
|
+
// corresponding functions on the containing |X509|, |X509_CRL|, or
|
1140
|
+
// |X509_REVOKED|.
|
1141
|
+
|
1142
|
+
DEFINE_STACK_OF(X509_EXTENSION)
|
1143
|
+
typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
|
1144
|
+
|
1145
|
+
// X509_EXTENSIONS is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE of Extension
|
1146
|
+
// (RFC 5280) and C type is |STACK_OF(X509_EXTENSION)*|.
|
1147
|
+
DECLARE_ASN1_ITEM(X509_EXTENSIONS)
|
1148
|
+
|
1149
|
+
// d2i_X509_EXTENSIONS parses up to |len| bytes from |*inp| as a DER-encoded
|
1150
|
+
// SEQUENCE OF Extension (RFC 5280), as described in |d2i_SAMPLE|.
|
1151
|
+
OPENSSL_EXPORT X509_EXTENSIONS *d2i_X509_EXTENSIONS(X509_EXTENSIONS **out,
|
1152
|
+
const uint8_t **inp,
|
1153
|
+
long len);
|
1154
|
+
|
1155
|
+
// i2d_X509_EXTENSIONS marshals |alg| as a DER-encoded SEQUENCE OF Extension
|
1156
|
+
// (RFC 5280), as described in |i2d_SAMPLE|.
|
1157
|
+
OPENSSL_EXPORT int i2d_X509_EXTENSIONS(const X509_EXTENSIONS *alg,
|
1158
|
+
uint8_t **outp);
|
1159
|
+
|
1160
|
+
// X509v3_get_ext_count returns the number of extensions in |x|.
|
1161
|
+
OPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
|
1162
|
+
|
1163
|
+
// X509v3_get_ext_by_NID returns the index of the first extension in |x| with
|
1164
|
+
// type |nid|, or a negative number if not found. If found, callers can use
|
1165
|
+
// |X509v3_get_ext| to look up the extension by index.
|
1166
|
+
//
|
1167
|
+
// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
|
1168
|
+
// can thus loop over all matching extensions by first passing -1 and then
|
1169
|
+
// passing the previously-returned value until no match is returned.
|
1170
|
+
OPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
|
1171
|
+
int nid, int lastpos);
|
1172
|
+
|
1173
|
+
// X509v3_get_ext_by_OBJ behaves like |X509v3_get_ext_by_NID| but looks for
|
1174
|
+
// extensions matching |obj|.
|
1175
|
+
OPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
|
1176
|
+
const ASN1_OBJECT *obj, int lastpos);
|
1177
|
+
|
1178
|
+
// X509v3_get_ext_by_critical returns the index of the first extension in |x|
|
1179
|
+
// whose critical bit matches |crit|, or a negative number if no such extension
|
1180
|
+
// was found.
|
1181
|
+
//
|
1182
|
+
// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
|
1183
|
+
// can thus loop over all matching extensions by first passing -1 and then
|
1184
|
+
// passing the previously-returned value until no match is returned.
|
1185
|
+
OPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
|
1186
|
+
int crit, int lastpos);
|
1187
|
+
|
1188
|
+
// X509v3_get_ext returns the extension in |x| at index |loc|, or NULL if |loc|
|
1189
|
+
// is out of bounds. This function returns a non-const pointer for OpenSSL
|
1190
|
+
// compatibility, but callers should not mutate the result.
|
1191
|
+
OPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x,
|
1192
|
+
int loc);
|
1193
|
+
|
1194
|
+
// X509v3_delete_ext removes the extension in |x| at index |loc| and returns the
|
1195
|
+
// removed extension, or NULL if |loc| was out of bounds. If an extension was
|
1196
|
+
// returned, the caller must release it with |X509_EXTENSION_free|.
|
1197
|
+
OPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x,
|
1198
|
+
int loc);
|
1199
|
+
|
1200
|
+
// X509v3_add_ext adds a copy of |ex| to the extension list in |*x|. If |*x| is
|
1201
|
+
// NULL, it allocates a new |STACK_OF(X509_EXTENSION)| to hold the copy and sets
|
1202
|
+
// |*x| to the new list. It returns |*x| on success and NULL on error. The
|
1203
|
+
// caller retains ownership of |ex| and can release it independently of |*x|.
|
1204
|
+
//
|
1205
|
+
// The new extension is inserted at index |loc|, shifting extensions to the
|
1206
|
+
// right. If |loc| is -1 or out of bounds, the new extension is appended to the
|
1207
|
+
// list.
|
1208
|
+
OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext(
|
1209
|
+
STACK_OF(X509_EXTENSION) **x, const X509_EXTENSION *ex, int loc);
|
1210
|
+
|
1211
|
+
|
1212
|
+
// Algorithm identifiers.
|
1213
|
+
//
|
1214
|
+
// An |X509_ALGOR| represents an AlgorithmIdentifier structure, used in X.509
|
1215
|
+
// to represent signature algorithms and public key algorithms.
|
1216
|
+
|
1217
|
+
DEFINE_STACK_OF(X509_ALGOR)
|
1218
|
+
|
1219
|
+
// X509_ALGOR is an |ASN1_ITEM| whose ASN.1 type is AlgorithmIdentifier and C
|
1220
|
+
// type is |X509_ALGOR*|.
|
1221
|
+
DECLARE_ASN1_ITEM(X509_ALGOR)
|
1222
|
+
|
1223
|
+
// X509_ALGOR_new returns a newly-allocated, empty |X509_ALGOR| object, or NULL
|
1224
|
+
// on error.
|
1225
|
+
OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_new(void);
|
1226
|
+
|
1227
|
+
// X509_ALGOR_dup returns a newly-allocated copy of |alg|, or NULL on error.
|
1228
|
+
// This function works by serializing the structure, so if |alg| is incomplete,
|
1229
|
+
// it may fail.
|
1230
|
+
OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_dup(const X509_ALGOR *alg);
|
1231
|
+
|
1232
|
+
// X509_ALGOR_free releases memory associated with |alg|.
|
1233
|
+
OPENSSL_EXPORT void X509_ALGOR_free(X509_ALGOR *alg);
|
1234
|
+
|
1235
|
+
// d2i_X509_ALGOR parses up to |len| bytes from |*inp| as a DER-encoded
|
1236
|
+
// AlgorithmIdentifier, as described in |d2i_SAMPLE|.
|
1237
|
+
OPENSSL_EXPORT X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **out, const uint8_t **inp,
|
1238
|
+
long len);
|
1239
|
+
|
1240
|
+
// i2d_X509_ALGOR marshals |alg| as a DER-encoded AlgorithmIdentifier, as
|
1241
|
+
// described in |i2d_SAMPLE|.
|
1242
|
+
OPENSSL_EXPORT int i2d_X509_ALGOR(const X509_ALGOR *alg, uint8_t **outp);
|
1243
|
+
|
1244
|
+
// X509_ALGOR_set0 sets |alg| to an AlgorithmIdentifier with algorithm |obj| and
|
1245
|
+
// parameter determined by |param_type| and |param_value|. It returns one on
|
1246
|
+
// success and zero on error. This function takes ownership of |obj| and
|
1247
|
+
// |param_value| on success.
|
1248
|
+
//
|
1249
|
+
// If |param_type| is |V_ASN1_UNDEF|, the parameter is omitted. If |param_type|
|
1250
|
+
// is zero, the parameter is left unchanged. Otherwise, |param_type| and
|
1251
|
+
// |param_value| are interpreted as in |ASN1_TYPE_set|.
|
1252
|
+
//
|
1253
|
+
// Note omitting the parameter (|V_ASN1_UNDEF|) and encoding an explicit NULL
|
1254
|
+
// value (|V_ASN1_NULL|) are different. Some algorithms require one and some the
|
1255
|
+
// other. Consult the relevant specification before calling this function. The
|
1256
|
+
// correct parameter for an RSASSA-PKCS1-v1_5 signature is |V_ASN1_NULL|. The
|
1257
|
+
// correct one for an ECDSA or Ed25519 signature is |V_ASN1_UNDEF|.
|
1258
|
+
OPENSSL_EXPORT int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *obj,
|
1259
|
+
int param_type, void *param_value);
|
1260
|
+
|
1261
|
+
// X509_ALGOR_get0 sets |*out_obj| to the |alg|'s algorithm. If |alg|'s
|
1262
|
+
// parameter is omitted, it sets |*out_param_type| and |*out_param_value| to
|
1263
|
+
// |V_ASN1_UNDEF| and NULL. Otherwise, it sets |*out_param_type| and
|
1264
|
+
// |*out_param_value| to the parameter, using the same representation as
|
1265
|
+
// |ASN1_TYPE_set0|. See |ASN1_TYPE_set0| and |ASN1_TYPE| for details.
|
1266
|
+
//
|
1267
|
+
// Callers that require the parameter in serialized form should, after checking
|
1268
|
+
// for |V_ASN1_UNDEF|, use |ASN1_TYPE_set1| and |d2i_ASN1_TYPE|, rather than
|
1269
|
+
// inspecting |*out_param_value|.
|
1270
|
+
//
|
1271
|
+
// Each of |out_obj|, |out_param_type|, and |out_param_value| may be NULL to
|
1272
|
+
// ignore the output. If |out_param_type| is NULL, |out_param_value| is ignored.
|
1273
|
+
//
|
1274
|
+
// WARNING: If |*out_param_type| is set to |V_ASN1_UNDEF|, OpenSSL and older
|
1275
|
+
// revisions of BoringSSL leave |*out_param_value| unset rather than setting it
|
1276
|
+
// to NULL. Callers that support both OpenSSL and BoringSSL should not assume
|
1277
|
+
// |*out_param_value| is uniformly initialized.
|
1278
|
+
OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj,
|
1279
|
+
int *out_param_type,
|
1280
|
+
const void **out_param_value,
|
1281
|
+
const X509_ALGOR *alg);
|
1282
|
+
|
1283
|
+
// X509_ALGOR_set_md sets |alg| to the hash function |md|. Note this
|
1284
|
+
// AlgorithmIdentifier represents the hash function itself, not a signature
|
1285
|
+
// algorithm that uses |md|.
|
1286
|
+
OPENSSL_EXPORT void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
|
1287
|
+
|
1288
|
+
// X509_ALGOR_cmp returns zero if |a| and |b| are equal, and some non-zero value
|
1289
|
+
// otherwise. Note this function can only be used for equality checks, not an
|
1290
|
+
// ordering.
|
1291
|
+
OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
|
1292
|
+
|
1293
|
+
|
1294
|
+
// Printing functions.
|
1295
|
+
//
|
1296
|
+
// The following functions output human-readable representations of
|
1297
|
+
// X.509-related structures. They should only be used for debugging or logging
|
1298
|
+
// and not parsed programmatically.
|
1299
|
+
|
1300
|
+
// X509_signature_dump writes a human-readable representation of |sig| to |bio|,
|
1301
|
+
// indented with |indent| spaces. It returns one on success and zero on error.
|
1302
|
+
OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig,
|
1303
|
+
int indent);
|
1304
|
+
|
1305
|
+
// X509_signature_print writes a human-readable representation of |alg| and
|
1306
|
+
// |sig| to |bio|. It returns one on success and zero on error.
|
1307
|
+
OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg,
|
1308
|
+
const ASN1_STRING *sig);
|
1309
|
+
|
1310
|
+
|
1311
|
+
// Convenience functions.
|
1312
|
+
|
1313
|
+
// X509_pubkey_digest hashes the contents of the BIT STRING in |x509|'s
|
1314
|
+
// subjectPublicKeyInfo field with |md| and writes the result to |out|.
|
1315
|
+
// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. If
|
1316
|
+
// |out_len| is not NULL, |*out_len| is set to the number of bytes written. This
|
1317
|
+
// function returns one on success and zero on error.
|
1318
|
+
//
|
1319
|
+
// This hash omits the BIT STRING tag, length, and number of unused bits. It
|
1320
|
+
// also omits the AlgorithmIdentifier which describes the key type. It
|
1321
|
+
// corresponds to the OCSP KeyHash definition and is not suitable for other
|
1322
|
+
// purposes.
|
1323
|
+
OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md,
|
1324
|
+
uint8_t *out, unsigned *out_len);
|
1325
|
+
|
1326
|
+
// X509_digest hashes |x509|'s DER encoding with |md| and writes the result to
|
1327
|
+
// |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
1328
|
+
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
1329
|
+
// of bytes written. This function returns one on success and zero on error.
|
1330
|
+
// Note this digest covers the entire certificate, not just the signed portion.
|
1331
|
+
OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out,
|
1332
|
+
unsigned *out_len);
|
1333
|
+
|
1334
|
+
// X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result
|
1335
|
+
// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
1336
|
+
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
1337
|
+
// of bytes written. This function returns one on success and zero on error.
|
1338
|
+
// Note this digest covers the entire CRL, not just the signed portion.
|
1339
|
+
OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md,
|
1340
|
+
uint8_t *out, unsigned *out_len);
|
1341
|
+
|
1342
|
+
// X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result
|
1343
|
+
// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
1344
|
+
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
1345
|
+
// of bytes written. This function returns one on success and zero on error.
|
1346
|
+
// Note this digest covers the entire certificate request, not just the signed
|
1347
|
+
// portion.
|
1348
|
+
OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md,
|
1349
|
+
uint8_t *out, unsigned *out_len);
|
1350
|
+
|
1351
|
+
// X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result
|
1352
|
+
// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
1353
|
+
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
1354
|
+
// of bytes written. This function returns one on success and zero on error.
|
1355
|
+
OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md,
|
1356
|
+
uint8_t *out, unsigned *out_len);
|
1357
|
+
|
1358
|
+
// The following functions behave like the corresponding unsuffixed |d2i_*|
|
1359
|
+
// functions, but read the result from |bp| instead. Callers using these
|
1360
|
+
// functions with memory |BIO|s to parse structures already in memory should use
|
1361
|
+
// |d2i_*| instead.
|
1362
|
+
OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509);
|
1363
|
+
OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);
|
1364
|
+
OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req);
|
1365
|
+
OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa);
|
1366
|
+
OPENSSL_EXPORT RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa);
|
1367
|
+
OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa);
|
1368
|
+
OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
|
1369
|
+
OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
|
1370
|
+
OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
|
1371
|
+
OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
|
1372
|
+
OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8);
|
1373
|
+
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(
|
1374
|
+
BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf);
|
1375
|
+
OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
|
1376
|
+
OPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh);
|
1377
|
+
|
1378
|
+
// d2i_PrivateKey_bio behaves like |d2i_AutoPrivateKey|, but reads from |bp|
|
1379
|
+
// instead.
|
1380
|
+
OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
|
1381
|
+
|
1382
|
+
// The following functions behave like the corresponding unsuffixed |i2d_*|
|
1383
|
+
// functions, but write the result to |bp|. They return one on success and zero
|
1384
|
+
// on error. Callers using them with memory |BIO|s to encode structures to
|
1385
|
+
// memory should use |i2d_*| directly instead.
|
1386
|
+
OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509);
|
1387
|
+
OPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl);
|
1388
|
+
OPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req);
|
1389
|
+
OPENSSL_EXPORT int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa);
|
1390
|
+
OPENSSL_EXPORT int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa);
|
1391
|
+
OPENSSL_EXPORT int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa);
|
1392
|
+
OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
|
1393
|
+
OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
|
1394
|
+
OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
|
1395
|
+
OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
|
1396
|
+
OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8);
|
1397
|
+
OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
|
1398
|
+
PKCS8_PRIV_KEY_INFO *p8inf);
|
1399
|
+
OPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
|
1400
|
+
OPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
|
1401
|
+
OPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh);
|
1402
|
+
|
1403
|
+
// i2d_PKCS8PrivateKeyInfo_bio encodes |key| as a PKCS#8 PrivateKeyInfo
|
1404
|
+
// structure (see |EVP_marshal_private_key|) and writes the result to |bp|. It
|
1405
|
+
// returns one on success and zero on error.
|
1406
|
+
OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
|
1407
|
+
|
1408
|
+
// The following functions behave like the corresponding |d2i_*_bio| functions,
|
1409
|
+
// but read from |fp| instead.
|
1410
|
+
OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509);
|
1411
|
+
OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl);
|
1412
|
+
OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req);
|
1413
|
+
OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa);
|
1414
|
+
OPENSSL_EXPORT RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa);
|
1415
|
+
OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa);
|
1416
|
+
OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
|
1417
|
+
OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
|
1418
|
+
OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
|
1419
|
+
OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
|
1420
|
+
OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8);
|
1421
|
+
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(
|
1422
|
+
FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf);
|
1423
|
+
OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
|
1424
|
+
OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
|
1425
|
+
|
1426
|
+
// The following functions behave like the corresponding |i2d_*_bio| functions,
|
1427
|
+
// but write to |fp| instead.
|
1428
|
+
OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509);
|
1429
|
+
OPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl);
|
1430
|
+
OPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req);
|
1431
|
+
OPENSSL_EXPORT int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa);
|
1432
|
+
OPENSSL_EXPORT int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa);
|
1433
|
+
OPENSSL_EXPORT int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa);
|
1434
|
+
OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
|
1435
|
+
OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
|
1436
|
+
OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
|
1437
|
+
OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
|
1438
|
+
OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8);
|
1439
|
+
OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
|
1440
|
+
PKCS8_PRIV_KEY_INFO *p8inf);
|
1441
|
+
OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
|
1442
|
+
OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
|
1443
|
+
OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
|
1444
|
+
|
1445
|
+
// X509_find_by_issuer_and_serial returns the first |X509| in |sk| whose issuer
|
1446
|
+
// and serial are |name| and |serial|, respectively. If no match is found, it
|
1447
|
+
// returns NULL.
|
1448
|
+
OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk,
|
1449
|
+
X509_NAME *name,
|
1450
|
+
const ASN1_INTEGER *serial);
|
1451
|
+
|
1452
|
+
// X509_find_by_subject returns the first |X509| in |sk| whose subject is
|
1453
|
+
// |name|. If no match is found, it returns NULL.
|
1454
|
+
OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk,
|
1455
|
+
X509_NAME *name);
|
1456
|
+
|
1457
|
+
|
1458
|
+
// ex_data functions.
|
1459
|
+
//
|
1460
|
+
// See |ex_data.h| for details.
|
1461
|
+
|
1462
|
+
OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp,
|
1463
|
+
CRYPTO_EX_unused *unused,
|
1464
|
+
CRYPTO_EX_dup *dup_unused,
|
1465
|
+
CRYPTO_EX_free *free_func);
|
1466
|
+
OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg);
|
1467
|
+
OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx);
|
1468
|
+
|
1469
|
+
OPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
|
1470
|
+
CRYPTO_EX_unused *unused,
|
1471
|
+
CRYPTO_EX_dup *dup_unused,
|
1472
|
+
CRYPTO_EX_free *free_func);
|
1473
|
+
OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx,
|
1474
|
+
void *data);
|
1475
|
+
OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx);
|
1476
|
+
|
1477
|
+
|
1478
|
+
// Deprecated functions.
|
1479
|
+
|
1480
|
+
// X509_get_notBefore returns |x509|'s notBefore time. Note this function is not
|
1481
|
+
// const-correct for legacy reasons. Use |X509_get0_notBefore| or
|
1482
|
+
// |X509_getm_notBefore| instead.
|
1483
|
+
OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509);
|
1484
|
+
|
1485
|
+
// X509_get_notAfter returns |x509|'s notAfter time. Note this function is not
|
1486
|
+
// const-correct for legacy reasons. Use |X509_get0_notAfter| or
|
1487
|
+
// |X509_getm_notAfter| instead.
|
1488
|
+
OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509);
|
1489
|
+
|
1490
|
+
// X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore|
|
1491
|
+
// instead.
|
1492
|
+
OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm);
|
1493
|
+
|
1494
|
+
// X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter|
|
1495
|
+
// instead.
|
1496
|
+
OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm);
|
1497
|
+
|
1498
|
+
// X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s thisUpdate time.
|
1499
|
+
// The OpenSSL API refers to this field as lastUpdate.
|
1500
|
+
//
|
1501
|
+
// Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead.
|
1502
|
+
OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl);
|
1503
|
+
|
1504
|
+
// X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time,
|
1505
|
+
// or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or
|
1506
|
+
// |X509_CRL_set1_nextUpdate| instead.
|
1507
|
+
OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl);
|
1508
|
+
|
1509
|
+
// X509_extract_key is a legacy alias to |X509_get_pubkey|. Use
|
1510
|
+
// |X509_get_pubkey| instead.
|
1511
|
+
#define X509_extract_key(x) X509_get_pubkey(x)
|
1512
|
+
|
1513
|
+
// X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|.
|
1514
|
+
#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
|
1515
|
+
|
1516
|
+
// X509_name_cmp is a legacy alias for |X509_NAME_cmp|.
|
1517
|
+
#define X509_name_cmp(a, b) X509_NAME_cmp((a), (b))
|
1518
|
+
|
1519
|
+
// The following symbols are deprecated aliases to |X509_CRL_set1_*|.
|
1520
|
+
#define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate
|
1521
|
+
#define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate
|
1522
|
+
|
1523
|
+
// X509_get_serialNumber returns a mutable pointer to |x509|'s serial number.
|
1524
|
+
// Prefer |X509_get0_serialNumber|.
|
1525
|
+
OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509);
|
1526
|
+
|
1527
|
+
// X509_NAME_get_text_by_OBJ finds the first attribute with type |obj| in
|
1528
|
+
// |name|. If found, it ignores the value's ASN.1 type, writes the raw
|
1529
|
+
// |ASN1_STRING| representation to |buf|, followed by a NUL byte, and
|
1530
|
+
// returns the number of bytes in output, excluding the NUL byte.
|
1531
|
+
//
|
1532
|
+
// This function writes at most |len| bytes, including the NUL byte. If |len| is
|
1533
|
+
// not large enough, it silently truncates the output to fit. If |buf| is NULL,
|
1534
|
+
// it instead writes enough and returns the number of bytes in the output,
|
1535
|
+
// excluding the NUL byte.
|
1536
|
+
//
|
1537
|
+
// WARNING: Do not use this function. It does not return enough information for
|
1538
|
+
// the caller to correctly interpret its output. The attribute value may be of
|
1539
|
+
// any type, including one of several ASN.1 string encodings, but this function
|
1540
|
+
// only outputs the raw |ASN1_STRING| representation. See
|
1541
|
+
// https://crbug.com/boringssl/436.
|
1542
|
+
OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name,
|
1543
|
+
const ASN1_OBJECT *obj, char *buf,
|
1544
|
+
int len);
|
1545
|
+
|
1546
|
+
// X509_NAME_get_text_by_NID behaves like |X509_NAME_get_text_by_OBJ| except it
|
1547
|
+
// finds an attribute of type |nid|, which should be one of the |NID_*|
|
1548
|
+
// constants.
|
1549
|
+
OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid,
|
1550
|
+
char *buf, int len);
|
1551
|
+
|
1552
|
+
|
1553
|
+
// Private structures.
|
1554
|
+
|
1555
|
+
struct X509_algor_st {
|
1556
|
+
ASN1_OBJECT *algorithm;
|
1557
|
+
ASN1_TYPE *parameter;
|
1558
|
+
} /* X509_ALGOR */;
|
1559
|
+
|
96
1560
|
|
1561
|
+
// Functions below this point have not yet been organized into sections.
|
97
1562
|
|
98
1563
|
#define X509_FILETYPE_PEM 1
|
99
1564
|
#define X509_FILETYPE_ASN1 2
|
@@ -110,25 +1575,6 @@ extern "C" {
|
|
110
1575
|
#define X509v3_KU_DECIPHER_ONLY 0x8000
|
111
1576
|
#define X509v3_KU_UNDEF 0xffff
|
112
1577
|
|
113
|
-
struct X509_algor_st {
|
114
|
-
ASN1_OBJECT *algorithm;
|
115
|
-
ASN1_TYPE *parameter;
|
116
|
-
} /* X509_ALGOR */;
|
117
|
-
|
118
|
-
DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
|
119
|
-
|
120
|
-
DEFINE_STACK_OF(X509_ALGOR)
|
121
|
-
|
122
|
-
typedef STACK_OF(X509_ALGOR) X509_ALGORS;
|
123
|
-
|
124
|
-
DEFINE_STACK_OF(X509_NAME_ENTRY)
|
125
|
-
|
126
|
-
DEFINE_STACK_OF(X509_NAME)
|
127
|
-
|
128
|
-
typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
|
129
|
-
|
130
|
-
DEFINE_STACK_OF(X509_EXTENSION)
|
131
|
-
|
132
1578
|
DEFINE_STACK_OF(X509_ATTRIBUTE)
|
133
1579
|
|
134
1580
|
// This stuff is certificate "auxiliary info"
|
@@ -139,8 +1585,6 @@ DEFINE_STACK_OF(X509_ATTRIBUTE)
|
|
139
1585
|
DECLARE_STACK_OF(DIST_POINT)
|
140
1586
|
DECLARE_STACK_OF(GENERAL_NAME)
|
141
1587
|
|
142
|
-
DEFINE_STACK_OF(X509)
|
143
|
-
|
144
1588
|
// This is used for a table of trust checking functions
|
145
1589
|
|
146
1590
|
struct x509_trust_st {
|
@@ -199,7 +1643,8 @@ DEFINE_STACK_OF(X509_TRUST)
|
|
199
1643
|
#define X509_FLAG_NO_ATTRIBUTES (1L << 11)
|
200
1644
|
#define X509_FLAG_NO_IDS (1L << 12)
|
201
1645
|
|
202
|
-
// Flags specific to X509_NAME_print_ex()
|
1646
|
+
// Flags specific to X509_NAME_print_ex(). These flags must not collide with
|
1647
|
+
// |ASN1_STRFLGS_*|.
|
203
1648
|
|
204
1649
|
// The field separator information
|
205
1650
|
|
@@ -249,23 +1694,10 @@ DEFINE_STACK_OF(X509_TRUST)
|
|
249
1694
|
(ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | \
|
250
1695
|
XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN)
|
251
1696
|
|
252
|
-
struct x509_revoked_st {
|
253
|
-
ASN1_INTEGER *serialNumber;
|
254
|
-
ASN1_TIME *revocationDate;
|
255
|
-
STACK_OF(X509_EXTENSION) /* optional */ *extensions;
|
256
|
-
// Set up if indirect CRL
|
257
|
-
STACK_OF(GENERAL_NAME) *issuer;
|
258
|
-
// Revocation reason
|
259
|
-
int reason;
|
260
|
-
int sequence; // load sequence
|
261
|
-
};
|
262
|
-
|
263
1697
|
DEFINE_STACK_OF(X509_REVOKED)
|
264
1698
|
|
265
1699
|
DECLARE_STACK_OF(GENERAL_NAMES)
|
266
1700
|
|
267
|
-
DEFINE_STACK_OF(X509_CRL)
|
268
|
-
|
269
1701
|
struct private_key_st {
|
270
1702
|
int version;
|
271
1703
|
// The PKCS#8 data types
|
@@ -303,182 +1735,22 @@ DEFINE_STACK_OF(X509_INFO)
|
|
303
1735
|
struct Netscape_spkac_st {
|
304
1736
|
X509_PUBKEY *pubkey;
|
305
1737
|
ASN1_IA5STRING *challenge; // challenge sent in atlas >= PR2
|
306
|
-
} /* NETSCAPE_SPKAC */;
|
307
|
-
|
308
|
-
struct Netscape_spki_st {
|
309
|
-
NETSCAPE_SPKAC *spkac; // signed public key and challenge
|
310
|
-
X509_ALGOR *sig_algor;
|
311
|
-
ASN1_BIT_STRING *signature;
|
312
|
-
} /* NETSCAPE_SPKI */;
|
313
|
-
|
314
|
-
// TODO(davidben): Document remaining functions, reorganize them, and define
|
315
|
-
// supported patterns for using |X509| objects in general. In particular, when
|
316
|
-
// it is safe to call mutating functions is a little tricky due to various
|
317
|
-
// internal caches.
|
318
|
-
|
319
|
-
// X509_VERSION_* are X.509 version numbers. Note the numerical values of all
|
320
|
-
// defined X.509 versions are one less than the named version.
|
321
|
-
#define X509_VERSION_1 0
|
322
|
-
#define X509_VERSION_2 1
|
323
|
-
#define X509_VERSION_3 2
|
324
|
-
|
325
|
-
// X509_get_version returns the numerical value of |x509|'s version. Callers may
|
326
|
-
// compare the result to the |X509_VERSION_*| constants. Unknown versions are
|
327
|
-
// rejected by the parser, but a manually-created |X509| object may encode
|
328
|
-
// invalid versions. In that case, the function will return the invalid version,
|
329
|
-
// or -1 on overflow.
|
330
|
-
OPENSSL_EXPORT long X509_get_version(const X509 *x509);
|
331
|
-
|
332
|
-
// X509_set_version sets |x509|'s version to |version|, which should be one of
|
333
|
-
// the |X509V_VERSION_*| constants. It returns one on success and zero on error.
|
334
|
-
//
|
335
|
-
// If unsure, use |X509_VERSION_3|.
|
336
|
-
OPENSSL_EXPORT int X509_set_version(X509 *x509, long version);
|
337
|
-
|
338
|
-
// X509_get0_serialNumber returns |x509|'s serial number.
|
339
|
-
OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509);
|
340
|
-
|
341
|
-
// X509_set_serialNumber sets |x509|'s serial number to |serial|. It returns one
|
342
|
-
// on success and zero on error.
|
343
|
-
OPENSSL_EXPORT int X509_set_serialNumber(X509 *x509,
|
344
|
-
const ASN1_INTEGER *serial);
|
345
|
-
|
346
|
-
// X509_get0_notBefore returns |x509|'s notBefore time.
|
347
|
-
OPENSSL_EXPORT const ASN1_TIME *X509_get0_notBefore(const X509 *x509);
|
348
|
-
|
349
|
-
// X509_get0_notAfter returns |x509|'s notAfter time.
|
350
|
-
OPENSSL_EXPORT const ASN1_TIME *X509_get0_notAfter(const X509 *x509);
|
351
|
-
|
352
|
-
// X509_set1_notBefore sets |x509|'s notBefore time to |tm|. It returns one on
|
353
|
-
// success and zero on error.
|
354
|
-
OPENSSL_EXPORT int X509_set1_notBefore(X509 *x509, const ASN1_TIME *tm);
|
355
|
-
|
356
|
-
// X509_set1_notAfter sets |x509|'s notAfter time to |tm|. it returns one on
|
357
|
-
// success and zero on error.
|
358
|
-
OPENSSL_EXPORT int X509_set1_notAfter(X509 *x509, const ASN1_TIME *tm);
|
359
|
-
|
360
|
-
// X509_getm_notBefore returns a mutable pointer to |x509|'s notBefore time.
|
361
|
-
OPENSSL_EXPORT ASN1_TIME *X509_getm_notBefore(X509 *x509);
|
362
|
-
|
363
|
-
// X509_getm_notAfter returns a mutable pointer to |x509|'s notAfter time.
|
364
|
-
OPENSSL_EXPORT ASN1_TIME *X509_getm_notAfter(X509 *x);
|
365
|
-
|
366
|
-
// X509_get_notBefore returns |x509|'s notBefore time. Note this function is not
|
367
|
-
// const-correct for legacy reasons. Use |X509_get0_notBefore| or
|
368
|
-
// |X509_getm_notBefore| instead.
|
369
|
-
OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509);
|
370
|
-
|
371
|
-
// X509_get_notAfter returns |x509|'s notAfter time. Note this function is not
|
372
|
-
// const-correct for legacy reasons. Use |X509_get0_notAfter| or
|
373
|
-
// |X509_getm_notAfter| instead.
|
374
|
-
OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509);
|
375
|
-
|
376
|
-
// X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore|
|
377
|
-
// instead.
|
378
|
-
OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm);
|
379
|
-
|
380
|
-
// X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter|
|
381
|
-
// instead.
|
382
|
-
OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm);
|
383
|
-
|
384
|
-
// X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the
|
385
|
-
// issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly
|
386
|
-
// outputs |x509|'s subjectUID field to |*out_subject_uid|.
|
387
|
-
//
|
388
|
-
// Callers may pass NULL to either |out_issuer_uid| or |out_subject_uid| to
|
389
|
-
// ignore the corresponding field.
|
390
|
-
OPENSSL_EXPORT void X509_get0_uids(const X509 *x509,
|
391
|
-
const ASN1_BIT_STRING **out_issuer_uid,
|
392
|
-
const ASN1_BIT_STRING **out_subject_uid);
|
393
|
-
|
394
|
-
// X509_extract_key is a legacy alias to |X509_get_pubkey|. Use
|
395
|
-
// |X509_get_pubkey| instead.
|
396
|
-
#define X509_extract_key(x) X509_get_pubkey(x)
|
397
|
-
|
398
|
-
// X509_get_pathlen returns path length constraint from the basic constraints
|
399
|
-
// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the
|
400
|
-
// constraint is not present, or if some extension in |x509| was invalid.
|
401
|
-
//
|
402
|
-
// Note that decoding an |X509| object will not check for invalid extensions. To
|
403
|
-
// detect the error case, call |X509_get_extensions_flags| and check the
|
404
|
-
// |EXFLAG_INVALID| bit.
|
405
|
-
OPENSSL_EXPORT long X509_get_pathlen(X509 *x509);
|
406
|
-
|
407
|
-
// X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. Note no
|
408
|
-
// other versions are defined.
|
409
|
-
#define X509_REQ_VERSION_1 0
|
410
|
-
|
411
|
-
// X509_REQ_get_version returns the numerical value of |req|'s version. This
|
412
|
-
// will be |X509_REQ_VERSION_1| for valid certificate requests. If |req| is
|
413
|
-
// invalid, it may return another value, or -1 on overflow.
|
414
|
-
//
|
415
|
-
// TODO(davidben): Enforce the version number in the parser.
|
416
|
-
OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req);
|
417
|
-
|
418
|
-
// X509_REQ_get_subject_name returns |req|'s subject name. Note this function is
|
419
|
-
// not const-correct for legacy reasons.
|
420
|
-
OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
|
421
|
-
|
422
|
-
// X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|.
|
423
|
-
#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
|
424
|
-
|
425
|
-
// X509_name_cmp is a legacy alias for |X509_NAME_cmp|.
|
426
|
-
#define X509_name_cmp(a, b) X509_NAME_cmp((a), (b))
|
427
|
-
|
428
|
-
#define X509_CRL_VERSION_1 0
|
429
|
-
#define X509_CRL_VERSION_2 1
|
430
|
-
|
431
|
-
// X509_CRL_get_version returns the numerical value of |crl|'s version. Callers
|
432
|
-
// may compare the result to |X509_CRL_VERSION_*| constants. If |crl| is
|
433
|
-
// invalid, it may return another value, or -1 on overflow.
|
434
|
-
//
|
435
|
-
// TODO(davidben): Enforce the version number in the parser.
|
436
|
-
OPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl);
|
437
|
-
|
438
|
-
// X509_CRL_get0_lastUpdate returns |crl|'s lastUpdate time.
|
439
|
-
OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
|
440
|
-
|
441
|
-
// X509_CRL_get0_nextUpdate returns |crl|'s nextUpdate time, or NULL if |crl|
|
442
|
-
// has none.
|
443
|
-
OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
|
444
|
-
|
445
|
-
// X509_CRL_set1_lastUpdate sets |crl|'s lastUpdate time to |tm|. It returns one
|
446
|
-
// on success and zero on error.
|
447
|
-
OPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm);
|
448
|
-
|
449
|
-
// X509_CRL_set1_nextUpdate sets |crl|'s nextUpdate time to |tm|. It returns one
|
450
|
-
// on success and zero on error.
|
451
|
-
OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm);
|
452
|
-
|
453
|
-
// The following symbols are deprecated aliases to |X509_CRL_set1_*|.
|
454
|
-
#define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate
|
455
|
-
#define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate
|
456
|
-
|
457
|
-
// X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s lastUpdate time.
|
458
|
-
// Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead.
|
459
|
-
OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl);
|
460
|
-
|
461
|
-
// X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time,
|
462
|
-
// or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or
|
463
|
-
// |X509_CRL_set1_nextUpdate| instead.
|
464
|
-
OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl);
|
1738
|
+
} /* NETSCAPE_SPKAC */;
|
465
1739
|
|
466
|
-
|
467
|
-
//
|
468
|
-
|
1740
|
+
struct Netscape_spki_st {
|
1741
|
+
NETSCAPE_SPKAC *spkac; // signed public key and challenge
|
1742
|
+
X509_ALGOR *sig_algor;
|
1743
|
+
ASN1_BIT_STRING *signature;
|
1744
|
+
} /* NETSCAPE_SPKI */;
|
469
1745
|
|
470
|
-
//
|
471
|
-
//
|
1746
|
+
// X509_get_pathlen returns path length constraint from the basic constraints
|
1747
|
+
// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the
|
1748
|
+
// constraint is not present, or if some extension in |x509| was invalid.
|
472
1749
|
//
|
473
|
-
//
|
474
|
-
//
|
475
|
-
//
|
476
|
-
OPENSSL_EXPORT
|
477
|
-
|
478
|
-
// X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl|
|
479
|
-
// omits it.
|
480
|
-
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(
|
481
|
-
const X509_CRL *crl);
|
1750
|
+
// Note that decoding an |X509| object will not check for invalid extensions. To
|
1751
|
+
// detect the error case, call |X509_get_extensions_flags| and check the
|
1752
|
+
// |EXFLAG_INVALID| bit.
|
1753
|
+
OPENSSL_EXPORT long X509_get_pathlen(X509 *x509);
|
482
1754
|
|
483
1755
|
// X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to
|
484
1756
|
// |sig|'s algorithm and digest fields, respectively. Either |out_alg| and
|
@@ -491,22 +1763,6 @@ OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig,
|
|
491
1763
|
OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg,
|
492
1764
|
ASN1_OCTET_STRING **out_digest);
|
493
1765
|
|
494
|
-
OPENSSL_EXPORT void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
|
495
|
-
OPENSSL_EXPORT X509_CRL_METHOD *X509_CRL_METHOD_new(
|
496
|
-
int (*crl_init)(X509_CRL *crl), int (*crl_free)(X509_CRL *crl),
|
497
|
-
int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *ser,
|
498
|
-
X509_NAME *issuer),
|
499
|
-
int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk));
|
500
|
-
OPENSSL_EXPORT void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
|
501
|
-
|
502
|
-
OPENSSL_EXPORT void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
|
503
|
-
OPENSSL_EXPORT void *X509_CRL_get_meth_data(X509_CRL *crl);
|
504
|
-
|
505
|
-
// X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is
|
506
|
-
// not const-correct for legacy reasons. Callers should not modify the returned
|
507
|
-
// object.
|
508
|
-
OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509);
|
509
|
-
|
510
1766
|
// X509_verify_cert_error_string returns |err| as a human-readable string, where
|
511
1767
|
// |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns
|
512
1768
|
// a default description.
|
@@ -545,255 +1801,32 @@ OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str,
|
|
545
1801
|
OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki);
|
546
1802
|
|
547
1803
|
// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an
|
548
|
-
// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting
|
549
|
-
// pointer and must call |EVP_PKEY_free| when done.
|
550
|
-
OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki);
|
551
|
-
|
552
|
-
// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one
|
553
|
-
// on success or zero on error. This function does not take ownership of |pkey|,
|
554
|
-
// so the caller may continue to manage its lifetime independently of |spki|.
|
555
|
-
OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki,
|
556
|
-
EVP_PKEY *pkey);
|
557
|
-
|
558
|
-
// X509_signature_dump writes a human-readable representation of |sig| to |bio|,
|
559
|
-
// indented with |indent| spaces. It returns one on success and zero on error.
|
560
|
-
OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig,
|
561
|
-
int indent);
|
562
|
-
|
563
|
-
// X509_signature_print writes a human-readable representation of |alg| and
|
564
|
-
// |sig| to |bio|. It returns one on success and zero on error.
|
565
|
-
OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg,
|
566
|
-
const ASN1_STRING *sig);
|
567
|
-
|
568
|
-
// X509_sign signs |x509| with |pkey| and replaces the signature algorithm and
|
569
|
-
// signature fields. It returns one on success and zero on error. This function
|
570
|
-
// uses digest algorithm |md|, or |pkey|'s default if NULL. Other signing
|
571
|
-
// parameters use |pkey|'s defaults. To customize them, use |X509_sign_ctx|.
|
572
|
-
OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md);
|
573
|
-
|
574
|
-
// X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm
|
575
|
-
// and signature fields. It returns one on success and zero on error. The
|
576
|
-
// signature algorithm and parameters come from |ctx|, which must have been
|
577
|
-
// initialized with |EVP_DigestSignInit|. The caller should configure the
|
578
|
-
// corresponding |EVP_PKEY_CTX| before calling this function.
|
579
|
-
OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx);
|
580
|
-
|
581
|
-
// X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm
|
582
|
-
// and signature fields. It returns one on success and zero on error. This
|
583
|
-
// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
|
584
|
-
// signing parameters use |pkey|'s defaults. To customize them, use
|
585
|
-
// |X509_REQ_sign_ctx|.
|
586
|
-
OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey,
|
587
|
-
const EVP_MD *md);
|
588
|
-
|
589
|
-
// X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm
|
590
|
-
// and signature fields. It returns one on success and zero on error. The
|
591
|
-
// signature algorithm and parameters come from |ctx|, which must have been
|
592
|
-
// initialized with |EVP_DigestSignInit|. The caller should configure the
|
593
|
-
// corresponding |EVP_PKEY_CTX| before calling this function.
|
594
|
-
OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx);
|
595
|
-
|
596
|
-
// X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm
|
597
|
-
// and signature fields. It returns one on success and zero on error. This
|
598
|
-
// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
|
599
|
-
// signing parameters use |pkey|'s defaults. To customize them, use
|
600
|
-
// |X509_CRL_sign_ctx|.
|
601
|
-
OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey,
|
602
|
-
const EVP_MD *md);
|
603
|
-
|
604
|
-
// X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm
|
605
|
-
// and signature fields. It returns one on success and zero on error. The
|
606
|
-
// signature algorithm and parameters come from |ctx|, which must have been
|
607
|
-
// initialized with |EVP_DigestSignInit|. The caller should configure the
|
608
|
-
// corresponding |EVP_PKEY_CTX| before calling this function.
|
609
|
-
OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx);
|
610
|
-
|
611
|
-
// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature
|
612
|
-
// algorithm and signature fields. It returns one on success and zero on error.
|
613
|
-
// This function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
|
614
|
-
// signing parameters use |pkey|'s defaults.
|
615
|
-
OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey,
|
616
|
-
const EVP_MD *md);
|
617
|
-
|
618
|
-
// X509_pubkey_digest hashes the DER encoding of |x509|'s subjectPublicKeyInfo
|
619
|
-
// field with |md| and writes the result to |out|. |EVP_MD_CTX_size| bytes are
|
620
|
-
// written, which is at most |EVP_MAX_MD_SIZE|. If |out_len| is not NULL,
|
621
|
-
// |*out_len| is set to the number of bytes written. This function returns one
|
622
|
-
// on success and zero on error.
|
623
|
-
OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md,
|
624
|
-
uint8_t *out, unsigned *out_len);
|
625
|
-
|
626
|
-
// X509_digest hashes |x509|'s DER encoding with |md| and writes the result to
|
627
|
-
// |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
628
|
-
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
629
|
-
// of bytes written. This function returns one on success and zero on error.
|
630
|
-
// Note this digest covers the entire certificate, not just the signed portion.
|
631
|
-
OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out,
|
632
|
-
unsigned *out_len);
|
633
|
-
|
634
|
-
// X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result
|
635
|
-
// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
636
|
-
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
637
|
-
// of bytes written. This function returns one on success and zero on error.
|
638
|
-
// Note this digest covers the entire CRL, not just the signed portion.
|
639
|
-
OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md,
|
640
|
-
uint8_t *out, unsigned *out_len);
|
641
|
-
|
642
|
-
// X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result
|
643
|
-
// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
644
|
-
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
645
|
-
// of bytes written. This function returns one on success and zero on error.
|
646
|
-
// Note this digest covers the entire certificate request, not just the signed
|
647
|
-
// portion.
|
648
|
-
OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md,
|
649
|
-
uint8_t *out, unsigned *out_len);
|
650
|
-
|
651
|
-
// X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result
|
652
|
-
// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
653
|
-
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
654
|
-
// of bytes written. This function returns one on success and zero on error.
|
655
|
-
OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md,
|
656
|
-
uint8_t *out, unsigned *out_len);
|
657
|
-
|
658
|
-
// X509_parse_from_buffer parses an X.509 structure from |buf| and returns a
|
659
|
-
// fresh X509 or NULL on error. There must not be any trailing data in |buf|.
|
660
|
-
// The returned structure (if any) holds a reference to |buf| rather than
|
661
|
-
// copying parts of it as a normal |d2i_X509| call would do.
|
662
|
-
OPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf);
|
663
|
-
|
664
|
-
OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509);
|
665
|
-
OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509);
|
666
|
-
OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl);
|
667
|
-
OPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl);
|
668
|
-
OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req);
|
669
|
-
OPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req);
|
670
|
-
OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa);
|
671
|
-
OPENSSL_EXPORT int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa);
|
672
|
-
OPENSSL_EXPORT RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa);
|
673
|
-
OPENSSL_EXPORT int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa);
|
674
|
-
OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa);
|
675
|
-
OPENSSL_EXPORT int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa);
|
676
|
-
#ifndef OPENSSL_NO_DSA
|
677
|
-
OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
|
678
|
-
OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
|
679
|
-
OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
|
680
|
-
OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
|
681
|
-
#endif
|
682
|
-
OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
|
683
|
-
OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
|
684
|
-
OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
|
685
|
-
OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
|
686
|
-
OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8);
|
687
|
-
OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8);
|
688
|
-
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(
|
689
|
-
FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf);
|
690
|
-
OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
|
691
|
-
PKCS8_PRIV_KEY_INFO *p8inf);
|
692
|
-
OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
|
693
|
-
OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
|
694
|
-
OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
|
695
|
-
OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
|
696
|
-
OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
|
697
|
-
|
698
|
-
OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509);
|
699
|
-
OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509);
|
700
|
-
OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);
|
701
|
-
OPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl);
|
702
|
-
OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req);
|
703
|
-
OPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req);
|
704
|
-
OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa);
|
705
|
-
OPENSSL_EXPORT int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa);
|
706
|
-
OPENSSL_EXPORT RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa);
|
707
|
-
OPENSSL_EXPORT int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa);
|
708
|
-
OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa);
|
709
|
-
OPENSSL_EXPORT int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa);
|
710
|
-
#ifndef OPENSSL_NO_DSA
|
711
|
-
OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
|
712
|
-
OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
|
713
|
-
OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
|
714
|
-
OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
|
715
|
-
#endif
|
716
|
-
OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
|
717
|
-
OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
|
718
|
-
OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
|
719
|
-
OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
|
720
|
-
OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8);
|
721
|
-
OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8);
|
722
|
-
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(
|
723
|
-
BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf);
|
724
|
-
OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
|
725
|
-
PKCS8_PRIV_KEY_INFO *p8inf);
|
726
|
-
OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
|
727
|
-
OPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
|
728
|
-
OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
|
729
|
-
OPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
|
730
|
-
OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
|
731
|
-
OPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh);
|
732
|
-
OPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh);
|
733
|
-
|
734
|
-
OPENSSL_EXPORT X509 *X509_dup(X509 *x509);
|
735
|
-
OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa);
|
736
|
-
OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex);
|
737
|
-
OPENSSL_EXPORT X509_CRL *X509_CRL_dup(X509_CRL *crl);
|
738
|
-
OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *rev);
|
739
|
-
OPENSSL_EXPORT X509_REQ *X509_REQ_dup(X509_REQ *req);
|
740
|
-
OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
|
741
|
-
|
742
|
-
// X509_ALGOR_set0 sets |alg| to an AlgorithmIdentifier with algorithm |obj| and
|
743
|
-
// parameter determined by |param_type| and |param_value|. It returns one on
|
744
|
-
// success and zero on error. This function takes ownership of |obj| and
|
745
|
-
// |param_value| on success.
|
746
|
-
//
|
747
|
-
// If |param_type| is |V_ASN1_UNDEF|, the parameter is omitted. If |param_type|
|
748
|
-
// is zero, the parameter is left unchanged. Otherwise, |param_type| and
|
749
|
-
// |param_value| are interpreted as in |ASN1_TYPE_set|.
|
750
|
-
//
|
751
|
-
// Note omitting the parameter (|V_ASN1_UNDEF|) and encoding an explicit NULL
|
752
|
-
// value (|V_ASN1_NULL|) are different. Some algorithms require one and some the
|
753
|
-
// other. Consult the relevant specification before calling this function. The
|
754
|
-
// correct parameter for an RSASSA-PKCS1-v1_5 signature is |V_ASN1_NULL|. The
|
755
|
-
// correct one for an ECDSA or Ed25519 signature is |V_ASN1_UNDEF|.
|
756
|
-
OPENSSL_EXPORT int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *obj,
|
757
|
-
int param_type, void *param_value);
|
758
|
-
|
759
|
-
// X509_ALGOR_get0 sets |*out_obj| to the |alg|'s algorithm. If |alg|'s
|
760
|
-
// parameter is omitted, it sets |*out_param_type| and |*out_param_value| to
|
761
|
-
// |V_ASN1_UNDEF| and NULL. Otherwise, it sets |*out_param_type| and
|
762
|
-
// |*out_param_value| to the parameter, using the same representation as
|
763
|
-
// |ASN1_TYPE_set0|. See |ASN1_TYPE_set0| and |ASN1_TYPE| for details.
|
764
|
-
//
|
765
|
-
// Callers that require the parameter in serialized form should, after checking
|
766
|
-
// for |V_ASN1_UNDEF|, use |ASN1_TYPE_set1| and |d2i_ASN1_TYPE|, rather than
|
767
|
-
// inspecting |*out_param_value|.
|
768
|
-
//
|
769
|
-
// Each of |out_obj|, |out_param_type|, and |out_param_value| may be NULL to
|
770
|
-
// ignore the output. If |out_param_type| is NULL, |out_param_value| is ignored.
|
771
|
-
//
|
772
|
-
// WARNING: If |*out_param_type| is set to |V_ASN1_UNDEF|, OpenSSL and older
|
773
|
-
// revisions of BoringSSL leave |*out_param_value| unset rather than setting it
|
774
|
-
// to NULL. Callers that support both OpenSSL and BoringSSL should not assume
|
775
|
-
// |*out_param_value| is uniformly initialized.
|
776
|
-
OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj,
|
777
|
-
int *out_param_type,
|
778
|
-
const void **out_param_value,
|
779
|
-
const X509_ALGOR *alg);
|
1804
|
+
// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting
|
1805
|
+
// pointer and must call |EVP_PKEY_free| when done.
|
1806
|
+
OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki);
|
780
1807
|
|
781
|
-
//
|
782
|
-
//
|
783
|
-
//
|
784
|
-
OPENSSL_EXPORT
|
1808
|
+
// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one
|
1809
|
+
// on success or zero on error. This function does not take ownership of |pkey|,
|
1810
|
+
// so the caller may continue to manage its lifetime independently of |spki|.
|
1811
|
+
OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki,
|
1812
|
+
EVP_PKEY *pkey);
|
785
1813
|
|
786
|
-
//
|
787
|
-
//
|
788
|
-
//
|
789
|
-
|
1814
|
+
// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature
|
1815
|
+
// algorithm and signature fields. It returns one on success and zero on error.
|
1816
|
+
// This function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
|
1817
|
+
// signing parameters use |pkey|'s defaults.
|
1818
|
+
OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey,
|
1819
|
+
const EVP_MD *md);
|
790
1820
|
|
791
|
-
|
792
|
-
|
793
|
-
|
1821
|
+
// X509_ATTRIBUTE_dup returns a newly-allocated copy of |xa|, or NULL on error.
|
1822
|
+
// This function works by serializing the structure, so if |xa| is incomplete,
|
1823
|
+
// it may fail.
|
1824
|
+
OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(const X509_ATTRIBUTE *xa);
|
794
1825
|
|
795
|
-
|
796
|
-
|
1826
|
+
// X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error.
|
1827
|
+
// This function works by serializing the structure, so if |rev| is incomplete,
|
1828
|
+
// it may fail.
|
1829
|
+
OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev);
|
797
1830
|
|
798
1831
|
// X509_cmp_time compares |s| against |*t|. On success, it returns a negative
|
799
1832
|
// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it
|
@@ -803,6 +1836,14 @@ OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
|
|
803
1836
|
// error, not equality.
|
804
1837
|
OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t);
|
805
1838
|
|
1839
|
+
// X509_cmp_time_posix compares |s| against |t|. On success, it returns a
|
1840
|
+
// negative number if |s| <= |t| and a positive number if |s| > |t|. On error,
|
1841
|
+
// it returns zero.
|
1842
|
+
//
|
1843
|
+
// WARNING: Unlike most comparison functions, this function returns zero on
|
1844
|
+
// error, not equality.
|
1845
|
+
OPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t);
|
1846
|
+
|
806
1847
|
// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against
|
807
1848
|
// the current time.
|
808
1849
|
OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s);
|
@@ -827,12 +1868,7 @@ OPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void);
|
|
827
1868
|
OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void);
|
828
1869
|
OPENSSL_EXPORT const char *X509_get_default_private_dir(void);
|
829
1870
|
|
830
|
-
|
831
|
-
const EVP_MD *md);
|
832
|
-
|
833
|
-
DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS)
|
834
|
-
|
835
|
-
DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
|
1871
|
+
DECLARE_ASN1_FUNCTIONS_const(X509_PUBKEY)
|
836
1872
|
|
837
1873
|
// X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY|
|
838
1874
|
// structure. On success, it frees |*x|, sets |*x| to the new object, and
|
@@ -845,10 +1881,9 @@ OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
|
|
845
1881
|
// not mutate the result.
|
846
1882
|
OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key);
|
847
1883
|
|
848
|
-
|
849
|
-
DECLARE_ASN1_FUNCTIONS(X509_REQ)
|
1884
|
+
DECLARE_ASN1_FUNCTIONS_const(X509_SIG)
|
850
1885
|
|
851
|
-
|
1886
|
+
DECLARE_ASN1_FUNCTIONS_const(X509_ATTRIBUTE)
|
852
1887
|
|
853
1888
|
// X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on
|
854
1889
|
// error. The attribute has type |nid| and contains a single value determined by
|
@@ -857,99 +1892,15 @@ DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
|
|
857
1892
|
OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype,
|
858
1893
|
void *value);
|
859
1894
|
|
860
|
-
DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
|
861
|
-
DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS)
|
862
|
-
|
863
|
-
DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
|
864
|
-
|
865
|
-
DECLARE_ASN1_FUNCTIONS(X509_NAME)
|
866
|
-
|
867
|
-
// X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn|
|
868
|
-
// to the copy, and returns one. Otherwise, it returns zero.
|
869
|
-
OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name);
|
870
|
-
|
871
|
-
DECLARE_ASN1_FUNCTIONS(X509)
|
872
|
-
DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
|
873
|
-
|
874
|
-
// X509_up_ref adds one to the reference count of |x509| and returns one.
|
875
|
-
OPENSSL_EXPORT int X509_up_ref(X509 *x509);
|
876
|
-
|
877
|
-
OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp,
|
878
|
-
CRYPTO_EX_unused *unused,
|
879
|
-
CRYPTO_EX_dup *dup_unused,
|
880
|
-
CRYPTO_EX_free *free_func);
|
881
|
-
OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg);
|
882
|
-
OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx);
|
883
|
-
OPENSSL_EXPORT int i2d_X509_AUX(X509 *a, unsigned char **pp);
|
884
|
-
OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp,
|
885
|
-
long length);
|
886
|
-
|
887
|
-
// i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described
|
888
|
-
// in |i2d_SAMPLE|.
|
889
|
-
//
|
890
|
-
// This function re-encodes the TBSCertificate and may not reflect |x509|'s
|
891
|
-
// original encoding. It may be used to manually generate a signature for a new
|
892
|
-
// certificate. To verify certificates, use |i2d_X509_tbs| instead.
|
893
|
-
OPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, unsigned char **outp);
|
894
|
-
|
895
|
-
// i2d_X509_tbs serializes the TBSCertificate portion of |x509|, as described in
|
896
|
-
// |i2d_SAMPLE|.
|
897
|
-
//
|
898
|
-
// This function preserves the original encoding of the TBSCertificate and may
|
899
|
-
// not reflect modifications made to |x509|. It may be used to manually verify
|
900
|
-
// the signature of an existing certificate. To generate certificates, use
|
901
|
-
// |i2d_re_X509_tbs| instead.
|
902
|
-
OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp);
|
903
|
-
|
904
|
-
// X509_set1_signature_algo sets |x509|'s signature algorithm to |algo| and
|
905
|
-
// returns one on success or zero on error. It updates both the signature field
|
906
|
-
// of the TBSCertificate structure, and the signatureAlgorithm field of the
|
907
|
-
// Certificate.
|
908
|
-
OPENSSL_EXPORT int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo);
|
909
|
-
|
910
|
-
// X509_set1_signature_value sets |x509|'s signature to a copy of the |sig_len|
|
911
|
-
// bytes pointed by |sig|. It returns one on success and zero on error.
|
912
|
-
//
|
913
|
-
// Due to a specification error, X.509 certificates store signatures in ASN.1
|
914
|
-
// BIT STRINGs, but signature algorithms return byte strings rather than bit
|
915
|
-
// strings. This function creates a BIT STRING containing a whole number of
|
916
|
-
// bytes, with the bit order matching the DER encoding. This matches the
|
917
|
-
// encoding used by all X.509 signature algorithms.
|
918
|
-
OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig,
|
919
|
-
size_t sig_len);
|
920
|
-
|
921
|
-
// X509_get0_signature sets |*out_sig| and |*out_alg| to the signature and
|
922
|
-
// signature algorithm of |x509|, respectively. Either output pointer may be
|
923
|
-
// NULL to ignore the value.
|
924
|
-
//
|
925
|
-
// This function outputs the outer signature algorithm. For the one in the
|
926
|
-
// TBSCertificate, see |X509_get0_tbs_sigalg|. Certificates with mismatched
|
927
|
-
// signature algorithms will successfully parse, but they will be rejected when
|
928
|
-
// verifying.
|
929
|
-
OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig,
|
930
|
-
const X509_ALGOR **out_alg,
|
931
|
-
const X509 *x509);
|
932
|
-
|
933
|
-
// X509_get_signature_nid returns the NID corresponding to |x509|'s signature
|
934
|
-
// algorithm, or |NID_undef| if the signature algorithm does not correspond to
|
935
|
-
// a known NID.
|
936
|
-
OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509);
|
937
|
-
|
938
|
-
OPENSSL_EXPORT int X509_alias_set1(X509 *x, const unsigned char *name, int len);
|
939
|
-
OPENSSL_EXPORT int X509_keyid_set1(X509 *x, const unsigned char *id, int len);
|
940
|
-
OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x, int *len);
|
941
|
-
OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x, int *len);
|
942
|
-
OPENSSL_EXPORT int (*X509_TRUST_set_default(int (*trust)(int, X509 *,
|
943
|
-
int)))(int, X509 *,
|
944
|
-
int);
|
945
|
-
OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust);
|
946
1895
|
OPENSSL_EXPORT int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
|
947
1896
|
OPENSSL_EXPORT int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
|
948
1897
|
OPENSSL_EXPORT void X509_trust_clear(X509 *x);
|
949
1898
|
OPENSSL_EXPORT void X509_reject_clear(X509 *x);
|
950
1899
|
|
951
|
-
|
952
|
-
|
1900
|
+
|
1901
|
+
OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust);
|
1902
|
+
|
1903
|
+
DECLARE_ASN1_FUNCTIONS_const(X509_REVOKED)
|
953
1904
|
|
954
1905
|
OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
|
955
1906
|
OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret,
|
@@ -960,8 +1911,8 @@ OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret,
|
|
960
1911
|
OPENSSL_EXPORT X509_PKEY *X509_PKEY_new(void);
|
961
1912
|
OPENSSL_EXPORT void X509_PKEY_free(X509_PKEY *a);
|
962
1913
|
|
963
|
-
|
964
|
-
|
1914
|
+
DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_SPKI)
|
1915
|
+
DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_SPKAC)
|
965
1916
|
|
966
1917
|
OPENSSL_EXPORT X509_INFO *X509_INFO_new(void);
|
967
1918
|
OPENSSL_EXPORT void X509_INFO_free(X509_INFO *a);
|
@@ -988,96 +1939,6 @@ OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,
|
|
988
1939
|
ASN1_BIT_STRING *signature, void *asn,
|
989
1940
|
EVP_MD_CTX *ctx);
|
990
1941
|
|
991
|
-
// X509_get_serialNumber returns a mutable pointer to |x509|'s serial number.
|
992
|
-
// Prefer |X509_get0_serialNumber|.
|
993
|
-
OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509);
|
994
|
-
|
995
|
-
// X509_set_issuer_name sets |x509|'s issuer to a copy of |name|. It returns one
|
996
|
-
// on success and zero on error.
|
997
|
-
OPENSSL_EXPORT int X509_set_issuer_name(X509 *x509, X509_NAME *name);
|
998
|
-
|
999
|
-
// X509_get_issuer_name returns |x509|'s issuer.
|
1000
|
-
OPENSSL_EXPORT X509_NAME *X509_get_issuer_name(const X509 *x509);
|
1001
|
-
|
1002
|
-
// X509_set_subject_name sets |x509|'s subject to a copy of |name|. It returns
|
1003
|
-
// one on success and zero on error.
|
1004
|
-
OPENSSL_EXPORT int X509_set_subject_name(X509 *x509, X509_NAME *name);
|
1005
|
-
|
1006
|
-
// X509_get_issuer_name returns |x509|'s subject.
|
1007
|
-
OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509);
|
1008
|
-
|
1009
|
-
// X509_set_pubkey sets |x509|'s public key to |pkey|. It returns one on success
|
1010
|
-
// and zero on error. This function does not take ownership of |pkey| and
|
1011
|
-
// internally copies and updates reference counts as needed.
|
1012
|
-
OPENSSL_EXPORT int X509_set_pubkey(X509 *x509, EVP_PKEY *pkey);
|
1013
|
-
|
1014
|
-
// X509_get_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the
|
1015
|
-
// public key was unsupported or could not be decoded. This function returns a
|
1016
|
-
// reference to the |EVP_PKEY|. The caller must release the result with
|
1017
|
-
// |EVP_PKEY_free| when done.
|
1018
|
-
OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x509);
|
1019
|
-
|
1020
|
-
// X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public
|
1021
|
-
// key. Note this does not contain the AlgorithmIdentifier portion.
|
1022
|
-
//
|
1023
|
-
// WARNING: This function returns a non-const pointer for OpenSSL compatibility,
|
1024
|
-
// but the caller must not modify the resulting object. Doing so will break
|
1025
|
-
// internal invariants in |x509|.
|
1026
|
-
OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509);
|
1027
|
-
|
1028
|
-
// X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits
|
1029
|
-
// it.
|
1030
|
-
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions(
|
1031
|
-
const X509 *x509);
|
1032
|
-
|
1033
|
-
// X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s
|
1034
|
-
// TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|.
|
1035
|
-
//
|
1036
|
-
// Certificates with mismatched signature algorithms will successfully parse,
|
1037
|
-
// but they will be rejected when verifying.
|
1038
|
-
OPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x509);
|
1039
|
-
|
1040
|
-
// X509_REQ_set_version sets |req|'s version to |version|, which should be
|
1041
|
-
// |X509_REQ_VERSION_1|. It returns one on success and zero on error.
|
1042
|
-
//
|
1043
|
-
// Note no versions other than |X509_REQ_VERSION_1| are defined for CSRs.
|
1044
|
-
OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version);
|
1045
|
-
|
1046
|
-
// X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It
|
1047
|
-
// returns one on success and zero on error.
|
1048
|
-
OPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
|
1049
|
-
|
1050
|
-
// X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and
|
1051
|
-
// signature algorithm of |req|, respectively. Either output pointer may be NULL
|
1052
|
-
// to ignore the value.
|
1053
|
-
OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req,
|
1054
|
-
const ASN1_BIT_STRING **out_sig,
|
1055
|
-
const X509_ALGOR **out_alg);
|
1056
|
-
|
1057
|
-
// X509_REQ_get_signature_nid returns the NID corresponding to |req|'s signature
|
1058
|
-
// algorithm, or |NID_undef| if the signature algorithm does not correspond to
|
1059
|
-
// a known NID.
|
1060
|
-
OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req);
|
1061
|
-
|
1062
|
-
// i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986)
|
1063
|
-
// portion of |req|, as described in |i2d_SAMPLE|.
|
1064
|
-
//
|
1065
|
-
// This function re-encodes the CertificationRequestInfo and may not reflect
|
1066
|
-
// |req|'s original encoding. It may be used to manually generate a signature
|
1067
|
-
// for a new certificate request.
|
1068
|
-
OPENSSL_EXPORT int i2d_re_X509_REQ_tbs(X509_REQ *req, uint8_t **outp);
|
1069
|
-
|
1070
|
-
// X509_REQ_set_pubkey sets |req|'s public key to |pkey|. It returns one on
|
1071
|
-
// success and zero on error. This function does not take ownership of |pkey|
|
1072
|
-
// and internally copies and updates reference counts as needed.
|
1073
|
-
OPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey);
|
1074
|
-
|
1075
|
-
// X509_REQ_get_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if
|
1076
|
-
// the public key was unsupported or could not be decoded. This function returns
|
1077
|
-
// a reference to the |EVP_PKEY|. The caller must release the result with
|
1078
|
-
// |EVP_PKEY_free| when done.
|
1079
|
-
OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
|
1080
|
-
|
1081
1942
|
// X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type
|
1082
1943
|
// for carrying extensions and zero otherwise. The supported types are
|
1083
1944
|
// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req|
|
@@ -1143,96 +2004,29 @@ OPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
|
|
1143
2004
|
// It returns one on success and zero on error. The value is determined by
|
1144
2005
|
// |X509_ATTRIBUTE_set1_data|.
|
1145
2006
|
//
|
1146
|
-
// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and
|
1147
|
-
// error-prone. See |X509_ATTRIBUTE_set1_data| for details.
|
1148
|
-
OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
|
1149
|
-
const ASN1_OBJECT *obj,
|
1150
|
-
int attrtype,
|
1151
|
-
const unsigned char *data,
|
1152
|
-
int len);
|
1153
|
-
|
1154
|
-
// X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the
|
1155
|
-
// attribute type is determined by |nid|.
|
1156
|
-
OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid,
|
1157
|
-
int attrtype,
|
1158
|
-
const unsigned char *data,
|
1159
|
-
int len);
|
1160
|
-
|
1161
|
-
// X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the
|
1162
|
-
// attribute type is determined by calling |OBJ_txt2obj| with |attrname|.
|
1163
|
-
OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req,
|
1164
|
-
const char *attrname, int attrtype,
|
1165
|
-
const unsigned char *data,
|
1166
|
-
int len);
|
1167
|
-
|
1168
|
-
// X509_CRL_set_version sets |crl|'s version to |version|, which should be one
|
1169
|
-
// of the |X509_CRL_VERSION_*| constants. It returns one on success and zero on
|
1170
|
-
// error.
|
1171
|
-
//
|
1172
|
-
// If unsure, use |X509_CRL_VERSION_2|. Note that, unlike certificates, CRL
|
1173
|
-
// versions are only defined up to v2. Callers should not use |X509_VERSION_3|.
|
1174
|
-
OPENSSL_EXPORT int X509_CRL_set_version(X509_CRL *crl, long version);
|
1175
|
-
|
1176
|
-
// X509_CRL_set_issuer_name sets |crl|'s issuer to a copy of |name|. It returns
|
1177
|
-
// one on success and zero on error.
|
1178
|
-
OPENSSL_EXPORT int X509_CRL_set_issuer_name(X509_CRL *crl, X509_NAME *name);
|
1179
|
-
|
1180
|
-
OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl);
|
1181
|
-
|
1182
|
-
// X509_CRL_up_ref adds one to the reference count of |crl| and returns one.
|
1183
|
-
OPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl);
|
1184
|
-
|
1185
|
-
// X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and
|
1186
|
-
// signature algorithm of |crl|, respectively. Either output pointer may be NULL
|
1187
|
-
// to ignore the value.
|
1188
|
-
//
|
1189
|
-
// This function outputs the outer signature algorithm, not the one in the
|
1190
|
-
// TBSCertList. CRLs with mismatched signature algorithms will successfully
|
1191
|
-
// parse, but they will be rejected when verifying.
|
1192
|
-
OPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl,
|
1193
|
-
const ASN1_BIT_STRING **out_sig,
|
1194
|
-
const X509_ALGOR **out_alg);
|
1195
|
-
|
1196
|
-
// X509_CRL_get_signature_nid returns the NID corresponding to |crl|'s signature
|
1197
|
-
// algorithm, or |NID_undef| if the signature algorithm does not correspond to
|
1198
|
-
// a known NID.
|
1199
|
-
OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl);
|
1200
|
-
|
1201
|
-
// i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described
|
1202
|
-
// in |i2d_SAMPLE|.
|
1203
|
-
//
|
1204
|
-
// This function re-encodes the TBSCertList and may not reflect |crl|'s original
|
1205
|
-
// encoding. It may be used to manually generate a signature for a new CRL. To
|
1206
|
-
// verify CRLs, use |i2d_X509_CRL_tbs| instead.
|
1207
|
-
OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
|
1208
|
-
|
1209
|
-
// i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described in
|
1210
|
-
// |i2d_SAMPLE|.
|
1211
|
-
//
|
1212
|
-
// This function preserves the original encoding of the TBSCertList and may not
|
1213
|
-
// reflect modifications made to |crl|. It may be used to manually verify the
|
1214
|
-
// signature of an existing CRL. To generate CRLs, use |i2d_re_X509_CRL_tbs|
|
1215
|
-
// instead.
|
1216
|
-
OPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
|
2007
|
+
// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and
|
2008
|
+
// error-prone. See |X509_ATTRIBUTE_set1_data| for details.
|
2009
|
+
OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
|
2010
|
+
const ASN1_OBJECT *obj,
|
2011
|
+
int attrtype,
|
2012
|
+
const unsigned char *data,
|
2013
|
+
int len);
|
1217
2014
|
|
1218
|
-
//
|
1219
|
-
//
|
1220
|
-
|
1221
|
-
|
1222
|
-
|
2015
|
+
// X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the
|
2016
|
+
// attribute type is determined by |nid|.
|
2017
|
+
OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid,
|
2018
|
+
int attrtype,
|
2019
|
+
const unsigned char *data,
|
2020
|
+
int len);
|
1223
2021
|
|
1224
|
-
//
|
1225
|
-
//
|
1226
|
-
|
1227
|
-
|
1228
|
-
|
1229
|
-
|
1230
|
-
|
1231
|
-
|
1232
|
-
// encoding used by all X.509 signature algorithms.
|
1233
|
-
OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl,
|
1234
|
-
const uint8_t *sig,
|
1235
|
-
size_t sig_len);
|
2022
|
+
// X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the
|
2023
|
+
// attribute type is determined by calling |OBJ_txt2obj| with |attrname|.
|
2024
|
+
OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req,
|
2025
|
+
const char *attrname, int attrtype,
|
2026
|
+
const unsigned char *data,
|
2027
|
+
int len);
|
2028
|
+
|
2029
|
+
OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl);
|
1236
2030
|
|
1237
2031
|
// X509_REVOKED_get0_serialNumber returns the serial number of the certificate
|
1238
2032
|
// revoked by |revoked|.
|
@@ -1266,19 +2060,6 @@ OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
|
|
1266
2060
|
OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey);
|
1267
2061
|
|
1268
2062
|
OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey);
|
1269
|
-
OPENSSL_EXPORT int X509_chain_check_suiteb(int *perror_depth, X509 *x,
|
1270
|
-
STACK_OF(X509) *chain,
|
1271
|
-
unsigned long flags);
|
1272
|
-
OPENSSL_EXPORT int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk,
|
1273
|
-
unsigned long flags);
|
1274
|
-
|
1275
|
-
// X509_chain_up_ref returns a newly-allocated |STACK_OF(X509)| containing a
|
1276
|
-
// shallow copy of |chain|, or NULL on error. That is, the return value has the
|
1277
|
-
// same contents as |chain|, and each |X509|'s reference count is incremented by
|
1278
|
-
// one.
|
1279
|
-
OPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);
|
1280
|
-
|
1281
|
-
OPENSSL_EXPORT int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
|
1282
2063
|
|
1283
2064
|
OPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b);
|
1284
2065
|
OPENSSL_EXPORT unsigned long X509_issuer_name_hash(X509 *a);
|
@@ -1310,149 +2091,11 @@ OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,
|
|
1310
2091
|
OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag,
|
1311
2092
|
unsigned long cflag);
|
1312
2093
|
OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x);
|
1313
|
-
OPENSSL_EXPORT int X509_ocspid_print(BIO *bp, X509 *x);
|
1314
|
-
OPENSSL_EXPORT int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent);
|
1315
2094
|
OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x);
|
1316
2095
|
OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag,
|
1317
2096
|
unsigned long cflag);
|
1318
2097
|
OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req);
|
1319
2098
|
|
1320
|
-
OPENSSL_EXPORT int X509_NAME_entry_count(const X509_NAME *name);
|
1321
|
-
OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid,
|
1322
|
-
char *buf, int len);
|
1323
|
-
OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name,
|
1324
|
-
const ASN1_OBJECT *obj, char *buf,
|
1325
|
-
int len);
|
1326
|
-
|
1327
|
-
// NOTE: you should be passsing -1, not 0 as lastpos. The functions that use
|
1328
|
-
// lastpos, search after that position on.
|
1329
|
-
OPENSSL_EXPORT int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid,
|
1330
|
-
int lastpos);
|
1331
|
-
OPENSSL_EXPORT int X509_NAME_get_index_by_OBJ(const X509_NAME *name,
|
1332
|
-
const ASN1_OBJECT *obj,
|
1333
|
-
int lastpos);
|
1334
|
-
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name,
|
1335
|
-
int loc);
|
1336
|
-
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name,
|
1337
|
-
int loc);
|
1338
|
-
OPENSSL_EXPORT int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne,
|
1339
|
-
int loc, int set);
|
1340
|
-
OPENSSL_EXPORT int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
|
1341
|
-
int type,
|
1342
|
-
const unsigned char *bytes,
|
1343
|
-
int len, int loc, int set);
|
1344
|
-
OPENSSL_EXPORT int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid,
|
1345
|
-
int type,
|
1346
|
-
const unsigned char *bytes,
|
1347
|
-
int len, int loc, int set);
|
1348
|
-
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(
|
1349
|
-
X509_NAME_ENTRY **ne, const char *field, int type,
|
1350
|
-
const unsigned char *bytes, int len);
|
1351
|
-
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(
|
1352
|
-
X509_NAME_ENTRY **ne, int nid, int type, const unsigned char *bytes,
|
1353
|
-
int len);
|
1354
|
-
OPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name,
|
1355
|
-
const char *field, int type,
|
1356
|
-
const unsigned char *bytes,
|
1357
|
-
int len, int loc, int set);
|
1358
|
-
OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(
|
1359
|
-
X509_NAME_ENTRY **ne, const ASN1_OBJECT *obj, int type,
|
1360
|
-
const unsigned char *bytes, int len);
|
1361
|
-
OPENSSL_EXPORT int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
|
1362
|
-
const ASN1_OBJECT *obj);
|
1363
|
-
OPENSSL_EXPORT int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
|
1364
|
-
const unsigned char *bytes,
|
1365
|
-
int len);
|
1366
|
-
OPENSSL_EXPORT ASN1_OBJECT *X509_NAME_ENTRY_get_object(
|
1367
|
-
const X509_NAME_ENTRY *ne);
|
1368
|
-
OPENSSL_EXPORT ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne);
|
1369
|
-
|
1370
|
-
// X509v3_get_ext_count returns the number of extensions in |x|.
|
1371
|
-
OPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
|
1372
|
-
|
1373
|
-
// X509v3_get_ext_by_NID returns the index of the first extension in |x| with
|
1374
|
-
// type |nid|, or a negative number if not found. If found, callers can use
|
1375
|
-
// |X509v3_get_ext| to look up the extension by index.
|
1376
|
-
//
|
1377
|
-
// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
|
1378
|
-
// can thus loop over all matching extensions by first passing -1 and then
|
1379
|
-
// passing the previously-returned value until no match is returned.
|
1380
|
-
OPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
|
1381
|
-
int nid, int lastpos);
|
1382
|
-
|
1383
|
-
// X509v3_get_ext_by_OBJ behaves like |X509v3_get_ext_by_NID| but looks for
|
1384
|
-
// extensions matching |obj|.
|
1385
|
-
OPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
|
1386
|
-
const ASN1_OBJECT *obj, int lastpos);
|
1387
|
-
|
1388
|
-
// X509v3_get_ext_by_critical returns the index of the first extension in |x|
|
1389
|
-
// whose critical bit matches |crit|, or a negative number if no such extension
|
1390
|
-
// was found.
|
1391
|
-
//
|
1392
|
-
// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers
|
1393
|
-
// can thus loop over all matching extensions by first passing -1 and then
|
1394
|
-
// passing the previously-returned value until no match is returned.
|
1395
|
-
OPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
|
1396
|
-
int crit, int lastpos);
|
1397
|
-
|
1398
|
-
// X509v3_get_ext returns the extension in |x| at index |loc|, or NULL if |loc|
|
1399
|
-
// is out of bounds.
|
1400
|
-
OPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x,
|
1401
|
-
int loc);
|
1402
|
-
|
1403
|
-
// X509v3_delete_ext removes the extension in |x| at index |loc| and returns the
|
1404
|
-
// removed extension, or NULL if |loc| was out of bounds. If an extension was
|
1405
|
-
// returned, the caller must release it with |X509_EXTENSION_free|.
|
1406
|
-
OPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x,
|
1407
|
-
int loc);
|
1408
|
-
|
1409
|
-
// X509v3_add_ext adds a copy of |ex| to the extension list in |*x|. If |*x| is
|
1410
|
-
// NULL, it allocates a new |STACK_OF(X509_EXTENSION)| to hold the copy and sets
|
1411
|
-
// |*x| to the new list. It returns |*x| on success and NULL on error. The
|
1412
|
-
// caller retains ownership of |ex| and can release it independently of |*x|.
|
1413
|
-
//
|
1414
|
-
// The new extension is inserted at index |loc|, shifting extensions to the
|
1415
|
-
// right. If |loc| is -1 or out of bounds, the new extension is appended to the
|
1416
|
-
// list.
|
1417
|
-
OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext(
|
1418
|
-
STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc);
|
1419
|
-
|
1420
|
-
// X509_get_ext_count returns the number of extensions in |x|.
|
1421
|
-
OPENSSL_EXPORT int X509_get_ext_count(const X509 *x);
|
1422
|
-
|
1423
|
-
// X509_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for
|
1424
|
-
// extensions in |x|.
|
1425
|
-
OPENSSL_EXPORT int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos);
|
1426
|
-
|
1427
|
-
// X509_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for
|
1428
|
-
// extensions in |x|.
|
1429
|
-
OPENSSL_EXPORT int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj,
|
1430
|
-
int lastpos);
|
1431
|
-
|
1432
|
-
// X509_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but
|
1433
|
-
// searches for extensions in |x|.
|
1434
|
-
OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit,
|
1435
|
-
int lastpos);
|
1436
|
-
|
1437
|
-
// X509_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| is
|
1438
|
-
// out of bounds.
|
1439
|
-
OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
|
1440
|
-
|
1441
|
-
// X509_delete_ext removes the extension in |x| at index |loc| and returns the
|
1442
|
-
// removed extension, or NULL if |loc| was out of bounds. If non-NULL, the
|
1443
|
-
// caller must release the result with |X509_EXTENSION_free|. It is also safe,
|
1444
|
-
// but not necessary, to call |X509_EXTENSION_free| if the result is NULL.
|
1445
|
-
OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
|
1446
|
-
|
1447
|
-
// X509_add_ext adds a copy of |ex| to |x|. It returns one on success and zero
|
1448
|
-
// on failure. The caller retains ownership of |ex| and can release it
|
1449
|
-
// independently of |x|.
|
1450
|
-
//
|
1451
|
-
// The new extension is inserted at index |loc|, shifting extensions to the
|
1452
|
-
// right. If |loc| is -1 or out of bounds, the new extension is appended to the
|
1453
|
-
// list.
|
1454
|
-
OPENSSL_EXPORT int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
|
1455
|
-
|
1456
2099
|
// X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in
|
1457
2100
|
// |x509|'s extension list.
|
1458
2101
|
//
|
@@ -1470,43 +2113,6 @@ OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid,
|
|
1470
2113
|
OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
|
1471
2114
|
unsigned long flags);
|
1472
2115
|
|
1473
|
-
// X509_CRL_get_ext_count returns the number of extensions in |x|.
|
1474
|
-
OPENSSL_EXPORT int X509_CRL_get_ext_count(const X509_CRL *x);
|
1475
|
-
|
1476
|
-
// X509_CRL_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for
|
1477
|
-
// extensions in |x|.
|
1478
|
-
OPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid,
|
1479
|
-
int lastpos);
|
1480
|
-
|
1481
|
-
// X509_CRL_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for
|
1482
|
-
// extensions in |x|.
|
1483
|
-
OPENSSL_EXPORT int X509_CRL_get_ext_by_OBJ(const X509_CRL *x,
|
1484
|
-
const ASN1_OBJECT *obj, int lastpos);
|
1485
|
-
|
1486
|
-
// X509_CRL_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but
|
1487
|
-
// searches for extensions in |x|.
|
1488
|
-
OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit,
|
1489
|
-
int lastpos);
|
1490
|
-
|
1491
|
-
// X509_CRL_get_ext returns the extension in |x| at index |loc|, or NULL if
|
1492
|
-
// |loc| is out of bounds.
|
1493
|
-
OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
|
1494
|
-
|
1495
|
-
// X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns
|
1496
|
-
// the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the
|
1497
|
-
// caller must release the result with |X509_EXTENSION_free|. It is also safe,
|
1498
|
-
// but not necessary, to call |X509_EXTENSION_free| if the result is NULL.
|
1499
|
-
OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
|
1500
|
-
|
1501
|
-
// X509_CRL_add_ext adds a copy of |ex| to |x|. It returns one on success and
|
1502
|
-
// zero on failure. The caller retains ownership of |ex| and can release it
|
1503
|
-
// independently of |x|.
|
1504
|
-
//
|
1505
|
-
// The new extension is inserted at index |loc|, shifting extensions to the
|
1506
|
-
// right. If |loc| is -1 or out of bounds, the new extension is appended to the
|
1507
|
-
// list.
|
1508
|
-
OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
|
1509
|
-
|
1510
2116
|
// X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the
|
1511
2117
|
// extension in |crl|'s extension list.
|
1512
2118
|
//
|
@@ -1544,15 +2150,14 @@ OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x,
|
|
1544
2150
|
int crit, int lastpos);
|
1545
2151
|
|
1546
2152
|
// X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if
|
1547
|
-
// |loc| is out of bounds.
|
2153
|
+
// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL
|
2154
|
+
// compatibility, but callers should not mutate the result.
|
1548
2155
|
OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x,
|
1549
2156
|
int loc);
|
1550
2157
|
|
1551
2158
|
// X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and
|
1552
2159
|
// returns the removed extension, or NULL if |loc| was out of bounds. If
|
1553
|
-
// non-NULL, the caller must release the result with |X509_EXTENSION_free|.
|
1554
|
-
// is also safe, but not necessary, to call |X509_EXTENSION_free| if the result
|
1555
|
-
// is NULL.
|
2160
|
+
// non-NULL, the caller must release the result with |X509_EXTENSION_free|.
|
1556
2161
|
OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x,
|
1557
2162
|
int loc);
|
1558
2163
|
|
@@ -1563,8 +2168,8 @@ OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x,
|
|
1563
2168
|
// The new extension is inserted at index |loc|, shifting extensions to the
|
1564
2169
|
// right. If |loc| is -1 or out of bounds, the new extension is appended to the
|
1565
2170
|
// list.
|
1566
|
-
OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x,
|
1567
|
-
int loc);
|
2171
|
+
OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x,
|
2172
|
+
const X509_EXTENSION *ex, int loc);
|
1568
2173
|
|
1569
2174
|
// X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the
|
1570
2175
|
// extension in |revoked|'s extension list.
|
@@ -1585,47 +2190,6 @@ OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid,
|
|
1585
2190
|
void *value, int crit,
|
1586
2191
|
unsigned long flags);
|
1587
2192
|
|
1588
|
-
// X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|,
|
1589
|
-
// value |data|, and critical bit |crit|. It returns the newly-allocated
|
1590
|
-
// |X509_EXTENSION| on success, and false on error. |nid| should be a |NID_*|
|
1591
|
-
// constant.
|
1592
|
-
//
|
1593
|
-
// If |ex| and |*ex| are both non-NULL, it modifies and returns |*ex| instead of
|
1594
|
-
// creating a new object. If |ex| is non-NULL, but |*ex| is NULL, it sets |*ex|
|
1595
|
-
// to the new |X509_EXTENSION|, in addition to returning the result.
|
1596
|
-
OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_NID(
|
1597
|
-
X509_EXTENSION **ex, int nid, int crit, const ASN1_OCTET_STRING *data);
|
1598
|
-
|
1599
|
-
// X509_EXTENSION_create_by_OBJ behaves like |X509_EXTENSION_create_by_NID|, but
|
1600
|
-
// the extension type is determined by an |ASN1_OBJECT|.
|
1601
|
-
OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_OBJ(
|
1602
|
-
X509_EXTENSION **ex, const ASN1_OBJECT *obj, int crit,
|
1603
|
-
const ASN1_OCTET_STRING *data);
|
1604
|
-
|
1605
|
-
// X509_EXTENSION_set_object sets |ex|'s extension type to |obj|. It returns one
|
1606
|
-
// on success and zero on error.
|
1607
|
-
OPENSSL_EXPORT int X509_EXTENSION_set_object(X509_EXTENSION *ex,
|
1608
|
-
const ASN1_OBJECT *obj);
|
1609
|
-
|
1610
|
-
// X509_EXTENSION_set_critical sets |ex| to critical if |crit| is non-zero and
|
1611
|
-
// to non-critical if |crit| is zero.
|
1612
|
-
OPENSSL_EXPORT int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
|
1613
|
-
|
1614
|
-
// X509_EXTENSION_set_data set's |ex|'s extension value to a copy of |data|. It
|
1615
|
-
// returns one on success and zero on error.
|
1616
|
-
OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex,
|
1617
|
-
const ASN1_OCTET_STRING *data);
|
1618
|
-
|
1619
|
-
// X509_EXTENSION_get_object returns |ex|'s extension type.
|
1620
|
-
OPENSSL_EXPORT ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex);
|
1621
|
-
|
1622
|
-
// X509_EXTENSION_get_data returns |ne|'s extension value.
|
1623
|
-
OPENSSL_EXPORT ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
|
1624
|
-
|
1625
|
-
// X509_EXTENSION_get_critical returns one if |ex| is critical and zero
|
1626
|
-
// otherwise.
|
1627
|
-
OPENSSL_EXPORT int X509_EXTENSION_get_critical(const X509_EXTENSION *ex);
|
1628
|
-
|
1629
2193
|
// X509at_get_attr_count returns the number of attributes in |x|.
|
1630
2194
|
OPENSSL_EXPORT int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
|
1631
2195
|
|
@@ -1727,8 +2291,6 @@ OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr,
|
|
1727
2291
|
// |attr|'s type. If |len| is -1, |strlen(data)| is used instead. See
|
1728
2292
|
// |ASN1_STRING_set_by_NID| for details.
|
1729
2293
|
//
|
1730
|
-
// TODO(davidben): Document |ASN1_STRING_set_by_NID| so the reference is useful.
|
1731
|
-
//
|
1732
2294
|
// Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an
|
1733
2295
|
// |ASN1_STRING| type value and the |len| bytes from |data| are copied as the
|
1734
2296
|
// type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details.
|
@@ -1777,25 +2339,23 @@ OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr,
|
|
1777
2339
|
|
1778
2340
|
OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx);
|
1779
2341
|
|
1780
|
-
// lookup a cert from a X509 STACK
|
1781
|
-
OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,
|
1782
|
-
X509_NAME *name,
|
1783
|
-
ASN1_INTEGER *serial);
|
1784
|
-
OPENSSL_EXPORT X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name);
|
1785
|
-
|
1786
2342
|
// PKCS#8 utilities
|
1787
2343
|
|
1788
|
-
|
2344
|
+
DECLARE_ASN1_FUNCTIONS_const(PKCS8_PRIV_KEY_INFO)
|
1789
2345
|
|
1790
|
-
|
1791
|
-
|
2346
|
+
// EVP_PKCS82PKEY returns |p8| as a newly-allocated |EVP_PKEY|, or NULL if the
|
2347
|
+
// key was unsupported or could not be decoded. If non-NULL, the caller must
|
2348
|
+
// release the result with |EVP_PKEY_free| when done.
|
2349
|
+
//
|
2350
|
+
// Use |EVP_parse_private_key| instead.
|
2351
|
+
OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8);
|
1792
2352
|
|
1793
|
-
|
1794
|
-
|
1795
|
-
|
1796
|
-
|
1797
|
-
|
1798
|
-
|
2353
|
+
// EVP_PKEY2PKCS8 encodes |pkey| as a PKCS#8 PrivateKeyInfo (RFC 5208),
|
2354
|
+
// represented as a newly-allocated |PKCS8_PRIV_KEY_INFO|, or NULL on error. The
|
2355
|
+
// caller must release the result with |PKCS8_PRIV_KEY_INFO_free| when done.
|
2356
|
+
//
|
2357
|
+
// Use |EVP_marshal_private_key| instead.
|
2358
|
+
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey);
|
1799
2359
|
|
1800
2360
|
// X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier
|
1801
2361
|
// determined by |obj|, |param_type|, and |param_value|, and an encoded
|
@@ -1852,7 +2412,7 @@ struct rsa_pss_params_st {
|
|
1852
2412
|
X509_ALGOR *maskHash;
|
1853
2413
|
} /* RSA_PSS_PARAMS */;
|
1854
2414
|
|
1855
|
-
|
2415
|
+
DECLARE_ASN1_FUNCTIONS_const(RSA_PSS_PARAMS)
|
1856
2416
|
|
1857
2417
|
/*
|
1858
2418
|
SSL_CTX -> X509_STORE
|
@@ -1977,14 +2537,6 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
|
|
1977
2537
|
#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
|
1978
2538
|
#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
|
1979
2539
|
|
1980
|
-
// Suite B mode algorithm violation
|
1981
|
-
#define X509_V_ERR_SUITE_B_INVALID_VERSION 56
|
1982
|
-
#define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57
|
1983
|
-
#define X509_V_ERR_SUITE_B_INVALID_CURVE 58
|
1984
|
-
#define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59
|
1985
|
-
#define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60
|
1986
|
-
#define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
|
1987
|
-
|
1988
2540
|
// Host, email and IP check errors
|
1989
2541
|
#define X509_V_ERR_HOSTNAME_MISMATCH 62
|
1990
2542
|
#define X509_V_ERR_EMAIL_MISMATCH 63
|
@@ -2011,7 +2563,7 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
|
|
2011
2563
|
#define X509_V_FLAG_IGNORE_CRITICAL 0x10
|
2012
2564
|
// Does nothing as its functionality has been enabled by default.
|
2013
2565
|
#define X509_V_FLAG_X509_STRICT 0x00
|
2014
|
-
//
|
2566
|
+
// This flag does nothing as proxy certificate support has been removed.
|
2015
2567
|
#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
|
2016
2568
|
// Enable policy checking
|
2017
2569
|
#define X509_V_FLAG_POLICY_CHECK 0x80
|
@@ -2031,12 +2583,6 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
|
|
2031
2583
|
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
|
2032
2584
|
// Use trusted store first
|
2033
2585
|
#define X509_V_FLAG_TRUSTED_FIRST 0x8000
|
2034
|
-
// Suite B 128 bit only mode: not normally used
|
2035
|
-
#define X509_V_FLAG_SUITEB_128_LOS_ONLY 0x10000
|
2036
|
-
// Suite B 192 bit only mode
|
2037
|
-
#define X509_V_FLAG_SUITEB_192_LOS 0x20000
|
2038
|
-
// Suite B 128 bit mode allowing 192 bit algorithms
|
2039
|
-
#define X509_V_FLAG_SUITEB_128_LOS 0x30000
|
2040
2586
|
|
2041
2587
|
// Allow partial chains if at least one certificate is in trusted store
|
2042
2588
|
#define X509_V_FLAG_PARTIAL_CHAIN 0x80000
|
@@ -2046,6 +2592,10 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
|
|
2046
2592
|
// will force the behaviour to match that of previous versions.
|
2047
2593
|
#define X509_V_FLAG_NO_ALT_CHAINS 0x100000
|
2048
2594
|
|
2595
|
+
// X509_V_FLAG_NO_CHECK_TIME disables all time checks in certificate
|
2596
|
+
// verification.
|
2597
|
+
#define X509_V_FLAG_NO_CHECK_TIME 0x200000
|
2598
|
+
|
2049
2599
|
#define X509_VP_FLAG_DEFAULT 0x1
|
2050
2600
|
#define X509_VP_FLAG_OVERWRITE 0x2
|
2051
2601
|
#define X509_VP_FLAG_RESET_FLAGS 0x4
|
@@ -2144,8 +2694,21 @@ OPENSSL_EXPORT void X509_STORE_CTX_zero(X509_STORE_CTX *ctx);
|
|
2144
2694
|
OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
|
2145
2695
|
OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
|
2146
2696
|
X509 *x509, STACK_OF(X509) *chain);
|
2697
|
+
|
2698
|
+
// X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates
|
2699
|
+
// in |sk|. |sk| must remain valid for the duration of |ctx|.
|
2700
|
+
//
|
2701
|
+
// WARNING: This function differs from most |set0| functions in that it does not
|
2702
|
+
// take ownership of its input. The caller is required to ensure the lifetimes
|
2703
|
+
// are consistent.
|
2704
|
+
OPENSSL_EXPORT void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx,
|
2705
|
+
STACK_OF(X509) *sk);
|
2706
|
+
|
2707
|
+
// X509_STORE_CTX_trusted_stack is a deprecated alias for
|
2708
|
+
// |X509_STORE_CTX_set0_trusted_stack|.
|
2147
2709
|
OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx,
|
2148
2710
|
STACK_OF(X509) *sk);
|
2711
|
+
|
2149
2712
|
OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
|
2150
2713
|
|
2151
2714
|
OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx);
|
@@ -2180,15 +2743,6 @@ OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx);
|
|
2180
2743
|
OPENSSL_EXPORT int X509_LOOKUP_init(X509_LOOKUP *ctx);
|
2181
2744
|
OPENSSL_EXPORT int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type,
|
2182
2745
|
X509_NAME *name, X509_OBJECT *ret);
|
2183
|
-
OPENSSL_EXPORT int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type,
|
2184
|
-
X509_NAME *name,
|
2185
|
-
ASN1_INTEGER *serial,
|
2186
|
-
X509_OBJECT *ret);
|
2187
|
-
OPENSSL_EXPORT int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
|
2188
|
-
unsigned char *bytes, int len,
|
2189
|
-
X509_OBJECT *ret);
|
2190
|
-
OPENSSL_EXPORT int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str,
|
2191
|
-
int len, X509_OBJECT *ret);
|
2192
2746
|
OPENSSL_EXPORT int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
|
2193
2747
|
|
2194
2748
|
#ifndef OPENSSL_NO_STDIO
|
@@ -2196,14 +2750,6 @@ OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
|
|
2196
2750
|
const char *dir);
|
2197
2751
|
OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *ctx);
|
2198
2752
|
#endif
|
2199
|
-
|
2200
|
-
OPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
|
2201
|
-
CRYPTO_EX_unused *unused,
|
2202
|
-
CRYPTO_EX_dup *dup_unused,
|
2203
|
-
CRYPTO_EX_free *free_func);
|
2204
|
-
OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx,
|
2205
|
-
void *data);
|
2206
|
-
OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx);
|
2207
2753
|
OPENSSL_EXPORT int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
|
2208
2754
|
OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
|
2209
2755
|
OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
|
@@ -2231,13 +2777,12 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx,
|
|
2231
2777
|
unsigned long flags);
|
2232
2778
|
OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx,
|
2233
2779
|
unsigned long flags, time_t t);
|
2780
|
+
OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx,
|
2781
|
+
unsigned long flags,
|
2782
|
+
int64_t t);
|
2234
2783
|
OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb(
|
2235
2784
|
X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *));
|
2236
2785
|
|
2237
|
-
OPENSSL_EXPORT X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(
|
2238
|
-
X509_STORE_CTX *ctx);
|
2239
|
-
OPENSSL_EXPORT int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
|
2240
|
-
|
2241
2786
|
OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(
|
2242
2787
|
X509_STORE_CTX *ctx);
|
2243
2788
|
OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx,
|
@@ -2269,10 +2814,12 @@ OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param,
|
|
2269
2814
|
int depth);
|
2270
2815
|
OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param,
|
2271
2816
|
time_t t);
|
2817
|
+
OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param,
|
2818
|
+
int64_t t);
|
2272
2819
|
OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
|
2273
2820
|
ASN1_OBJECT *policy);
|
2274
2821
|
OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies(
|
2275
|
-
X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies);
|
2822
|
+
X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies);
|
2276
2823
|
|
2277
2824
|
OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
|
2278
2825
|
const char *name,
|
@@ -2303,37 +2850,6 @@ OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(
|
|
2303
2850
|
const char *name);
|
2304
2851
|
OPENSSL_EXPORT void X509_VERIFY_PARAM_table_cleanup(void);
|
2305
2852
|
|
2306
|
-
OPENSSL_EXPORT int X509_policy_check(X509_POLICY_TREE **ptree,
|
2307
|
-
int *pexplicit_policy,
|
2308
|
-
STACK_OF(X509) *certs,
|
2309
|
-
STACK_OF(ASN1_OBJECT) *policy_oids,
|
2310
|
-
unsigned int flags);
|
2311
|
-
|
2312
|
-
OPENSSL_EXPORT void X509_policy_tree_free(X509_POLICY_TREE *tree);
|
2313
|
-
|
2314
|
-
OPENSSL_EXPORT int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
|
2315
|
-
OPENSSL_EXPORT X509_POLICY_LEVEL *X509_policy_tree_get0_level(
|
2316
|
-
const X509_POLICY_TREE *tree, int i);
|
2317
|
-
|
2318
|
-
OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies(
|
2319
|
-
const X509_POLICY_TREE *tree);
|
2320
|
-
|
2321
|
-
OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies(
|
2322
|
-
const X509_POLICY_TREE *tree);
|
2323
|
-
|
2324
|
-
OPENSSL_EXPORT int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
|
2325
|
-
|
2326
|
-
OPENSSL_EXPORT X509_POLICY_NODE *X509_policy_level_get0_node(
|
2327
|
-
X509_POLICY_LEVEL *level, int i);
|
2328
|
-
|
2329
|
-
OPENSSL_EXPORT const ASN1_OBJECT *X509_policy_node_get0_policy(
|
2330
|
-
const X509_POLICY_NODE *node);
|
2331
|
-
|
2332
|
-
OPENSSL_EXPORT STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(
|
2333
|
-
const X509_POLICY_NODE *node);
|
2334
|
-
OPENSSL_EXPORT const X509_POLICY_NODE *X509_policy_node_get0_parent(
|
2335
|
-
const X509_POLICY_NODE *node);
|
2336
|
-
|
2337
2853
|
|
2338
2854
|
#if defined(__cplusplus)
|
2339
2855
|
} // extern C
|
@@ -2352,14 +2868,12 @@ BORINGSSL_MAKE_DELETER(X509_ALGOR, X509_ALGOR_free)
|
|
2352
2868
|
BORINGSSL_MAKE_DELETER(X509_ATTRIBUTE, X509_ATTRIBUTE_free)
|
2353
2869
|
BORINGSSL_MAKE_DELETER(X509_CRL, X509_CRL_free)
|
2354
2870
|
BORINGSSL_MAKE_UP_REF(X509_CRL, X509_CRL_up_ref)
|
2355
|
-
BORINGSSL_MAKE_DELETER(X509_CRL_METHOD, X509_CRL_METHOD_free)
|
2356
2871
|
BORINGSSL_MAKE_DELETER(X509_EXTENSION, X509_EXTENSION_free)
|
2357
2872
|
BORINGSSL_MAKE_DELETER(X509_INFO, X509_INFO_free)
|
2358
2873
|
BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free)
|
2359
2874
|
BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free)
|
2360
2875
|
BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free)
|
2361
2876
|
BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free)
|
2362
|
-
BORINGSSL_MAKE_DELETER(X509_POLICY_TREE, X509_policy_tree_free)
|
2363
2877
|
BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free)
|
2364
2878
|
BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free)
|
2365
2879
|
BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free)
|
@@ -2415,5 +2929,9 @@ BSSL_NAMESPACE_END
|
|
2415
2929
|
#define X509_R_DELTA_CRL_WITHOUT_CRL_NUMBER 138
|
2416
2930
|
#define X509_R_INVALID_FIELD_FOR_VERSION 139
|
2417
2931
|
#define X509_R_INVALID_VERSION 140
|
2932
|
+
#define X509_R_NO_CERTIFICATE_FOUND 141
|
2933
|
+
#define X509_R_NO_CERTIFICATE_OR_CRL_FOUND 142
|
2934
|
+
#define X509_R_NO_CRL_FOUND 143
|
2935
|
+
#define X509_R_INVALID_POLICY_EXTENSION 144
|
2418
2936
|
|
2419
|
-
#endif
|
2937
|
+
#endif // OPENSSL_HEADER_X509_H
|