openssl-prebuild/linux_amd64/ssl/share/doc/openssl/html/man3/X509_get_extension_flags.html

<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>X509_get_extension_flags</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>

<body style="background-color: white">


<!-- INDEX BEGIN -->
<div name="index">
<p><a name="__index__"></a></p>

<ul>

	<li><a href="#name">NAME</a></li>
	<li><a href="#synopsis">SYNOPSIS</a></li>
	<li><a href="#description">DESCRIPTION</a></li>
	<li><a href="#notes">NOTES</a></li>
	<li><a href="#return_values">RETURN VALUES</a></li>
	<li><a href="#see_also">SEE ALSO</a></li>
	<li><a href="#history">HISTORY</a></li>
	<li><a href="#copyright">COPYRIGHT</a></li>
</ul>

<hr name="index" />
</div>
<!-- INDEX END -->

<p>
</p>
<hr />
<h1><a name="name">NAME</a></h1>
<p>X509_get0_subject_key_id,
X509_get0_authority_key_id,
X509_get0_authority_issuer,
X509_get0_authority_serial,
X509_get_pathlen,
X509_get_extension_flags,
X509_get_key_usage,
X509_get_extended_key_usage,
X509_set_proxy_flag,
X509_set_proxy_pathlen,
X509_get_proxy_pathlen - retrieve certificate extension data</p>
<p>
</p>
<hr />
<h1><a name="synopsis">SYNOPSIS</a></h1>
<pre>
 #include &lt;openssl/x509v3.h&gt;</pre>
<pre>
 long X509_get_pathlen(X509 *x);
 uint32_t X509_get_extension_flags(X509 *x);
 uint32_t X509_get_key_usage(X509 *x);
 uint32_t X509_get_extended_key_usage(X509 *x);
 const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
 const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
 const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x);
 const ASN1_INTEGER *X509_get0_authority_serial(X509 *x);
 void X509_set_proxy_flag(X509 *x);
 void X509_set_proxy_pathlen(int l);
 long X509_get_proxy_pathlen(X509 *x);</pre>
<p>
</p>
<hr />
<h1><a name="description">DESCRIPTION</a></h1>
<p>These functions retrieve information related to commonly used certificate extensions.</p>
<p>X509_get_pathlen() retrieves the path length extension from a certificate.
This extension is used to limit the length of a cert chain that may be
issued from that CA.</p>
<p>X509_get_extension_flags() retrieves general information about a certificate,
it will return one or more of the following flags ored together.</p>
<dl>
<dt><strong><a name="exflag_v1" class="item"><strong>EXFLAG_V1</strong></a></strong></dt>

<dd>
<p>The certificate is an obsolete version 1 certificate.</p>
</dd>
<dt><strong><a name="exflag_bcons" class="item"><strong>EXFLAG_BCONS</strong></a></strong></dt>

<dd>
<p>The certificate contains a basic constraints extension.</p>
</dd>
<dt><strong><a name="exflag_ca" class="item"><strong>EXFLAG_CA</strong></a></strong></dt>

<dd>
<p>The certificate contains basic constraints and asserts the CA flag.</p>
</dd>
<dt><strong><a name="exflag_proxy" class="item"><strong>EXFLAG_PROXY</strong></a></strong></dt>

<dd>
<p>The certificate is a valid proxy certificate.</p>
</dd>
<dt><strong><a name="exflag_si" class="item"><strong>EXFLAG_SI</strong></a></strong></dt>

<dd>
<p>The certificate is self issued (that is subject and issuer names match).</p>
</dd>
<dt><strong><a name="exflag_ss" class="item"><strong>EXFLAG_SS</strong></a></strong></dt>

<dd>
<p>The subject and issuer names match and extension values imply it is self
signed.</p>
</dd>
<dt><strong><a name="exflag_freshest" class="item"><strong>EXFLAG_FRESHEST</strong></a></strong></dt>

<dd>
<p>The freshest CRL extension is present in the certificate.</p>
</dd>
<dt><strong><a name="exflag_critical" class="item"><strong>EXFLAG_CRITICAL</strong></a></strong></dt>

<dd>
<p>The certificate contains an unhandled critical extension.</p>
</dd>
<dt><strong><a name="exflag_invalid" class="item"><strong>EXFLAG_INVALID</strong></a></strong></dt>

<dd>
<p>Some certificate extension values are invalid or inconsistent. The
certificate should be rejected.</p>
</dd>
<dt><strong><a name="exflag_kusage" class="item"><strong>EXFLAG_KUSAGE</strong></a></strong></dt>

<dd>
<p>The certificate contains a key usage extension. The value can be retrieved
using X509_get_key_usage().</p>
</dd>
<dt><strong><a name="exflag_xkusage" class="item"><strong>EXFLAG_XKUSAGE</strong></a></strong></dt>

<dd>
<p>The certificate contains an extended key usage extension. The value can be
retrieved using X509_get_extended_key_usage().</p>
</dd>
</dl>
<p>X509_get_key_usage() returns the value of the key usage extension.  If key
usage is present will return zero or more of the flags:
<strong>KU_DIGITAL_SIGNATURE</strong>, <strong>KU_NON_REPUDIATION</strong>, <strong>KU_KEY_ENCIPHERMENT</strong>,
<strong>KU_DATA_ENCIPHERMENT</strong>, <strong>KU_KEY_AGREEMENT</strong>, <strong>KU_KEY_CERT_SIGN</strong>,
<strong>KU_CRL_SIGN</strong>, <strong>KU_ENCIPHER_ONLY</strong> or <strong>KU_DECIPHER_ONLY</strong> corresponding to
individual key usage bits. If key usage is absent then <strong>UINT32_MAX</strong> is
returned.</p>
<p>X509_get_extended_key_usage() returns the value of the extended key usage
extension. If extended key usage is present it will return zero or more of the
flags: <strong>XKU_SSL_SERVER</strong>, <strong>XKU_SSL_CLIENT</strong>, <strong>XKU_SMIME</strong>, <strong>XKU_CODE_SIGN</strong>
<strong>XKU_OCSP_SIGN</strong>, <strong>XKU_TIMESTAMP</strong>, <strong>XKU_DVCS</strong> or <strong>XKU_ANYEKU</strong>. These
correspond to the OIDs <strong>id-kp-serverAuth</strong>, <strong>id-kp-clientAuth</strong>,
<strong>id-kp-emailProtection</strong>, <strong>id-kp-codeSigning</strong>, <strong>id-kp-OCSPSigning</strong>,
<strong>id-kp-timeStamping</strong>, <strong>id-kp-dvcs</strong> and <strong>anyExtendedKeyUsage</strong> respectively.
Additionally <strong>XKU_SGC</strong> is set if either Netscape or Microsoft SGC OIDs are
present.</p>
<p>X509_get0_subject_key_id() returns an internal pointer to the subject key
identifier of <strong>x</strong> as an <strong>ASN1_OCTET_STRING</strong> or <strong>NULL</strong> if the extension
is not present or cannot be parsed.</p>
<p>X509_get0_authority_key_id() returns an internal pointer to the authority key
identifier of <strong>x</strong> as an <strong>ASN1_OCTET_STRING</strong> or <strong>NULL</strong> if the extension
is not present or cannot be parsed.</p>
<p>X509_get0_authority_issuer() returns an internal pointer to the authority
certificate issuer of <strong>x</strong> as a stack of <strong>GENERAL_NAME</strong> structures or
<strong>NULL</strong> if the extension is not present or cannot be parsed.</p>
<p>X509_get0_authority_serial() returns an internal pointer to the authority
certificate serial number of <strong>x</strong> as an <strong>ASN1_INTEGER</strong> or <strong>NULL</strong> if the
extension is not present or cannot be parsed.</p>
<p>X509_set_proxy_flag() marks the certificate with the <strong>EXFLAG_PROXY</strong> flag.
This is for the users who need to mark non-<a href="http://www.ietf.org/rfc/rfc3820.txt" class="rfc">RFC3820</a> proxy certificates as
such, as OpenSSL only detects <a href="http://www.ietf.org/rfc/rfc3820.txt" class="rfc">RFC3820</a> compliant ones.</p>
<p>X509_set_proxy_pathlen() sets the proxy certificate path length for the given
certificate <strong>x</strong>.  This is for the users who need to mark non-<a href="http://www.ietf.org/rfc/rfc3820.txt" class="rfc">RFC3820</a> proxy
certificates as such, as OpenSSL only detects <a href="http://www.ietf.org/rfc/rfc3820.txt" class="rfc">RFC3820</a> compliant ones.</p>
<p>X509_get_proxy_pathlen() returns the proxy certificate path length for the
given certificate <strong>x</strong> if it is a proxy certificate.</p>
<p>
</p>
<hr />
<h1><a name="notes">NOTES</a></h1>
<p>The value of the flags correspond to extension values which are cached
in the <strong>X509</strong> structure. If the flags returned do not provide sufficient
information an application should examine extension values directly
for example using X509_get_ext_d2i().</p>
<p>If the key usage or extended key usage extension is absent then typically usage
is unrestricted. For this reason X509_get_key_usage() and
X509_get_extended_key_usage() return <strong>UINT32_MAX</strong> when the corresponding
extension is absent. Applications can additionally check the return value of
X509_get_extension_flags() and take appropriate action is an extension is
absent.</p>
<p>If X509_get0_subject_key_id() returns <strong>NULL</strong> then the extension may be
absent or malformed. Applications can determine the precise reason using
X509_get_ext_d2i().</p>
<p>
</p>
<hr />
<h1><a name="return_values">RETURN VALUES</a></h1>
<p>X509_get_pathlen() returns the path length value, or -1 if the extension
is not present.</p>
<p>X509_get_extension_flags(), X509_get_key_usage() and
X509_get_extended_key_usage() return sets of flags corresponding to the
certificate extension values.</p>
<p>X509_get0_subject_key_id() returns the subject key identifier as a
pointer to an <strong>ASN1_OCTET_STRING</strong> structure or <strong>NULL</strong> if the extension
is absent or an error occurred during parsing.</p>
<p>X509_get_proxy_pathlen() returns the path length value if the given
certificate is a proxy one and has a path length set, and -1 otherwise.</p>
<p>
</p>
<hr />
<h1><a name="see_also">SEE ALSO</a></h1>
<p><em>X509_check_purpose(3)</em></p>
<p>
</p>
<hr />
<h1><a name="history">HISTORY</a></h1>
<p>X509_get_pathlen(), X509_set_proxy_flag(), X509_set_proxy_pathlen() and
X509_get_proxy_pathlen() were added in OpenSSL 1.1.0.</p>
<p>
</p>
<hr />
<h1><a name="copyright">COPYRIGHT</a></h1>
<p>Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;).  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>

</body>

</html>