The following constants are tag classes.

V_ASN1_CONSTRUCTED indicates an element is constructed, rather than primitive.

V_ASN1_PRIMITIVE_TAG is the highest tag number which can be encoded in a single byte. Note this is unrelated to whether an element is constructed or primitive.

TODO(davidben): Make this private.

V_ASN1_MAX_UNIVERSAL is the highest supported universal tag number. It is necessary to avoid ambiguity with V_ASN1_NEG and MBSTRING_FLAG.

TODO(davidben): Make this private.

V_ASN1_UNDEF is used in some APIs to indicate an ASN.1 element is omitted.

V_ASN1_OTHER is used in ASN1_TYPE to indicate a non-universal ASN.1 type.

V_ASN1_ANY is used by the ASN.1 templates to indicate an ANY type.

The following constants are tag numbers for universal types.

The following constants are used for ASN1_STRING values that represent negative INTEGER and ENUMERATED values. See ASN1_STRING for more details.

The following constants are bitmask representations of ASN.1 types.

ASN1_tag2bit converts tag from the tag number of a universal type to a corresponding B_ASN1_* constant, B_ASN1_UNKNOWN, or zero. If the B_ASN1_* constant above is defined, it will map the corresponding V_ASN1_* constant to it. Otherwise, whether it returns B_ASN1_UNKNOWN or zero is ill-defined and callers should not rely on it.

TODO(https://crbug.com/boringssl/412): Figure out what B_ASN1_UNNOWN vs zero is meant to be. The main impact is what values go in B_ASN1_PRINTABLE. To that end, we must return zero on types that can't go in ASN1_STRING.

ASN1_tag2str returns a string representation of tag, interpret as a tag number for a universal type, or V_ASN1_NEG_*.

d2i_SAMPLE parses a structure from up to len bytes at *inp. On success, it advances *inp by the number of bytes read and returns a newly-allocated SAMPLE object containing the parsed structure. If out is non-NULL, it additionally frees the previous value at *out and updates *out to the result. If parsing or allocating the result fails, it returns NULL.

This function does not reject trailing data in the input. This allows the caller to parse a sequence of concatenated structures. Callers parsing only one structure should check for trailing data by comparing the updated *inp with the end of the input.

Note: If out and *out are both non-NULL, the object at *out is not updated in-place. Instead, it is freed, and the pointer is updated to the new object. This differs from OpenSSL. Callers are recommended to set out to NULL and instead use the return value.

i2d_SAMPLE marshals in. On error, it returns a negative value. On success, it returns the length of the result and outputs it via outp as follows:

If outp is NULL, the function writes nothing. This mode can be used to size buffers.

If outp is non-NULL but *outp is NULL, the function sets *outp to a newly-allocated buffer containing the result. The caller is responsible for releasing *outp with OPENSSL_free. This mode is recommended for most callers.

If outp and *outp are non-NULL, the function writes the result to *outp, which must have enough space available, and advances *outp just past the output.

WARNING: In the third mode, the function does not internally check output bounds. Failing to correctly size the buffer will result in a potentially exploitable memory error.

The following typedefs are sometimes used for pointers to functions like d2i_SAMPLE and i2d_SAMPLE. Note, however, that these act on void*. Calling a function with a different pointer type is undefined in C, so this is only valid with a wrapper.

DECLARE_ASN1_ITEM declares an ASN1_ITEM with name name. The ASN1_ITEM may be referenced with ASN1_ITEM_rptr. Uses of this macro should document the corresponding ASN.1 and C types.

ASN1_ITEM_rptr returns the |const ASN1_ITEM *| named name.

ASN1_ITEM_EXP is an abstraction for referencing an ASN1_ITEM in a constant-initialized structure, such as a method table. It exists because, on some OpenSSL platforms, ASN1_ITEM references are indirected through functions. Structures reference the ASN1_ITEM by declaring a field like |ASN1_ITEM_EXP *item| and initializing it with ASN1_ITEM_ref.

ASN1_ITEM_ref returns an ASN1_ITEM_EXP* for the ASN1_ITEM named name.

ASN1_ITEM_ptr converts iptr, which must be an ASN1_ITEM_EXP* to a |const ASN1_ITEM*|.

ASN1_VALUE_st (aka ASN1_VALUE) is an opaque type used as a placeholder for the C type corresponding to an ASN1_ITEM.

ASN1_item_new allocates a new value of the C type corresponding to it, or NULL on error. On success, the caller must release the value with ASN1_item_free, or the corresponding C type's free function, when done. The new value will initialize fields of the value to some default state, such as an empty string. Note, however, that this default state sometimes omits required values, such as with CHOICE types.

This function may not be used with ASN1_ITEMs whose C type is ASN1_BOOLEAN.

WARNING: Casting the result of this function to the wrong type is a potentially exploitable memory error. Callers must ensure the value is used consistently with it. Prefer using type-specific functions such as ASN1_OCTET_STRING_new.

ASN1_item_free releases memory associated with val, which must be an object of the C type corresponding to it.

This function may not be used with ASN1_ITEMs whose C type is ASN1_BOOLEAN.

WARNING: Passing a pointer of the wrong type into this function is a potentially exploitable memory error. Callers must ensure val is consistent with it. Prefer using type-specific functions such as ASN1_OCTET_STRING_free.

ASN1_item_d2i parses the ASN.1 type it from up to len bytes at *inp. It behaves like d2i_SAMPLE, except that out and the return value are cast to ASN1_VALUE pointers.

TODO(https://crbug.com/boringssl/444): C strict aliasing forbids type-punning T* and ASN1_VALUE* the way this function signature does. When that bug is resolved, we will need to pick which type *out is (probably T*). Do not use a non-NULL out to avoid ending up on the wrong side of this question.

This function may not be used with ASN1_ITEMs whose C type is ASN1_BOOLEAN.

WARNING: Casting the result of this function to the wrong type, or passing a pointer of the wrong type into this function, are potentially exploitable memory errors. Callers must ensure out is consistent with it. Prefer using type-specific functions such as d2i_ASN1_OCTET_STRING.

ASN1_item_i2d marshals val as the ASN.1 type associated with it, as described in i2d_SAMPLE.

This function may not be used with ASN1_ITEMs whose C type is ASN1_BOOLEAN.

WARNING: Passing a pointer of the wrong type into this function is a potentially exploitable memory error. Callers must ensure val is consistent with it. Prefer using type-specific functions such as i2d_ASN1_OCTET_STRING.

ASN1_item_dup returns a newly-allocated copy of x, or NULL on error. x must be an object of it's C type.

This function may not be used with ASN1_ITEMs whose C type is ASN1_BOOLEAN.

WARNING: Casting the result of this function to the wrong type, or passing a pointer of the wrong type into this function, are potentially exploitable memory errors. Prefer using type-specific functions such as ASN1_STRING_dup.

The following functions behave like ASN1_item_d2i but read from in instead. out is the same parameter as in ASN1_item_d2i, but written with void* instead. The return values similarly match.

These functions may not be used with ASN1_ITEMs whose C type is ASN1_BOOLEAN.

WARNING: These functions do not bound how much data is read from in. Parsing an untrusted input could consume unbounded memory.

The following functions behave like ASN1_item_i2d but write to out instead. in is the same parameter as in ASN1_item_i2d, but written with void* instead.

These functions may not be used with ASN1_ITEMs whose C type is ASN1_BOOLEAN.

ASN1_item_unpack parses oct's contents as it's ASN.1 type. It returns a newly-allocated instance of it's C type on success, or NULL on error.

This function may not be used with ASN1_ITEMs whose C type is ASN1_BOOLEAN.

WARNING: Casting the result of this function to the wrong type is a potentially exploitable memory error. Callers must ensure the value is used consistently with it.

ASN1_item_pack marshals obj as it's ASN.1 type. If out is NULL, it returns a newly-allocated ASN1_STRING with the result, or NULL on error. If out is non-NULL, but *out is NULL, it does the same but additionally sets *out to the result. If both out and *out are non-NULL, it writes the result to *out and returns *out on success or NULL on error.

This function may not be used with ASN1_ITEMs whose C type is ASN1_BOOLEAN.

WARNING: Passing a pointer of the wrong type into this function is a potentially exploitable memory error. Callers must ensure val is consistent with it.

ASN1_BOOLEAN_FALSE is FALSE as an ASN1_BOOLEAN.

ASN1_BOOLEAN_TRUE is TRUE as an ASN1_BOOLEAN. Some code incorrectly uses 1, so prefer |b != ASN1_BOOLEAN_FALSE| over |b == ASN1_BOOLEAN_TRUE|.

ASN1_BOOLEAN_NONE, in contexts where the ASN1_BOOLEAN represents an OPTIONAL BOOLEAN, is an omitted value. Using this value in other contexts is undefined and may be misinterpreted as TRUE.

d2i_ASN1_BOOLEAN parses a DER-encoded ASN.1 BOOLEAN from up to len bytes at *inp. On success, it advances *inp by the number of bytes read and returns the result. If out is non-NULL, it additionally writes the result to *out. On error, it returns ASN1_BOOLEAN_NONE.

This function does not reject trailing data in the input. This allows the caller to parse a sequence of concatenated structures. Callers parsing only one structure should check for trailing data by comparing the updated *inp with the end of the input.

WARNING: This function's is slightly different from other d2i_* functions because ASN1_BOOLEAN is not a pointer type.

i2d_ASN1_BOOLEAN marshals a as a DER-encoded ASN.1 BOOLEAN, as described in i2d_SAMPLE.

The following ASN1_ITEMs have ASN.1 type BOOLEAN and C type ASN1_BOOLEAN. ASN1_TBOOLEAN and ASN1_FBOOLEAN must be marked OPTIONAL. When omitted, they are parsed as TRUE and FALSE, respectively, rather than ASN1_BOOLEAN_NONE.

An asn1_string_st (aka ASN1_STRING) represents a value of a string-like ASN.1 type. It contains a type field, and a byte string data field with a type-specific representation.

If type is one of V_ASN1_OCTET_STRING, V_ASN1_UTF8STRING, V_ASN1_NUMERICSTRING, V_ASN1_PRINTABLESTRING, V_ASN1_T61STRING, V_ASN1_VIDEOTEXSTRING, V_ASN1_IA5STRING, V_ASN1_GRAPHICSTRING, V_ASN1_ISO64STRING, V_ASN1_VISIBLESTRING, V_ASN1_GENERALSTRING, V_ASN1_UNIVERSALSTRING, or V_ASN1_BMPSTRING, the object represents an ASN.1 string type. The data contains the byte representation of the string.

If type is V_ASN1_BIT_STRING, the object represents a BIT STRING value. See bit string documentation below for the data and flags.

If type is one of V_ASN1_INTEGER, V_ASN1_NEG_INTEGER, V_ASN1_ENUMERATED, or V_ASN1_NEG_ENUMERATED, the object represents an INTEGER or ENUMERATED value. See integer documentation below for details.

If type is V_ASN1_GENERALIZEDTIME or V_ASN1_UTCTIME, the object represents a GeneralizedTime or UTCTime value, respectively. The data contains the DER encoding of the value. For example, the UNIX epoch would be "19700101000000Z" for a GeneralizedTime and "700101000000Z" for a UTCTime.

If type is V_ASN1_SEQUENCE, V_ASN1_SET, or V_ASN1_OTHER, the object represents a SEQUENCE, SET, or arbitrary ASN.1 value, respectively. Unlike the above cases, the data contains the DER encoding of the entire structure, including the header. If the value is explicitly or implicitly tagged, this too will be reflected in the data field. As this case handles unknown types, the contents are not checked when parsing or serializing.

Other values of type do not represent a valid ASN.1 value, though default-constructed objects may set type to -1. Such objects cannot be serialized.

ASN1_STRING additionally has the following typedefs: ASN1_BIT_STRING, ASN1_BMPSTRING, ASN1_ENUMERATED, ASN1_GENERALIZEDTIME, ASN1_GENERALSTRING, ASN1_IA5STRING, ASN1_INTEGER, ASN1_OCTET_STRING, ASN1_PRINTABLESTRING, ASN1_T61STRING, ASN1_TIME, ASN1_UNIVERSALSTRING, ASN1_UTCTIME, ASN1_UTF8STRING, and ASN1_VISIBLESTRING. Other than ASN1_TIME, these correspond to universal ASN.1 types. ASN1_TIME represents a CHOICE of UTCTime and GeneralizedTime, with a cutoff of 2049, as used in Section 4.1.2.5 of RFC 5280.

For clarity, callers are encouraged to use the appropriate typedef when available. They are the same type as ASN1_STRING, so a caller may freely pass them into functions expecting ASN1_STRING, such as ASN1_STRING_length.

If a function returns an ASN1_STRING where the typedef or ASN.1 structure implies constraints on type, callers may assume that type is correct. However, if a function takes an ASN1_STRING as input, callers must ensure type matches. These invariants are not captured by the C type system and may not be checked at runtime. For example, callers may assume the output of X509_get0_serialNumber has type V_ASN1_INTEGER or V_ASN1_NEG_INTEGER. Callers must not pass a string of type V_ASN1_OCTET_STRING to X509_set_serialNumber. Doing so may break invariants on the X509 object and break the X509_get0_serialNumber invariant.

TODO(https://crbug.com/boringssl/445): This is very unfriendly. Getting the type field wrong should not cause memory errors, but it may do strange things. We should add runtime checks to anything that consumes ASN1_STRINGs from the caller.

ASN1_STRING_FLAG_BITS_LEFT indicates, in a BIT STRING ASN1_STRING, that flags & 0x7 contains the number of padding bits added to the BIT STRING value. When not set, all trailing zero bits in the last byte are implicitly treated as padding. This behavior is deprecated and should not be used.

ASN1_STRING_type_new returns a newly-allocated empty ASN1_STRING object of type type, or NULL on error.

ASN1_STRING_new returns a newly-allocated empty ASN1_STRING object with an arbitrary type. Prefer one of the type-specific constructors, such as ASN1_OCTET_STRING_new, or ASN1_STRING_type_new.

ASN1_STRING_free releases memory associated with str.

ASN1_STRING_copy sets dst to a copy of str. It returns one on success and zero on error.

ASN1_STRING_dup returns a newly-allocated copy of str, or NULL on error.

ASN1_STRING_type returns the type of str. This value will be one of the V_ASN1_* constants.

ASN1_STRING_get0_data returns a pointer to str's contents. Callers should use ASN1_STRING_length to determine the length of the string. The string may have embedded NUL bytes and may not be NUL-terminated.

ASN1_STRING_data returns a mutable pointer to str's contents. Callers should use ASN1_STRING_length to determine the length of the string. The string may have embedded NUL bytes and may not be NUL-terminated.

Prefer ASN1_STRING_get0_data.

ASN1_STRING_length returns the length of str, in bytes.

ASN1_STRING_cmp compares a and b's type and contents. It returns an integer equal to, less than, or greater than zero if a is equal to, less than, or greater than b, respectively. This function compares by length, then data, then type. Note the data compared is the ASN1_STRING internal representation and the type order is arbitrary. While this comparison is suitable for sorting, callers should not rely on the exact order when a and b are different types.

Note that, if a and b are INTEGERs, this comparison does not order the values numerically. For a numerical comparison, use ASN1_INTEGER_cmp.

ASN1_STRING_set sets the contents of str to a copy of len bytes from data. It returns one on success and zero on error. If data is NULL, it updates the length and allocates the buffer as needed, but does not initialize the contents.

ASN1_STRING_set0 sets the contents of str to len bytes from data. It takes ownership of data, which must have been allocated with OPENSSL_malloc.

The following functions call ASN1_STRING_type_new with the corresponding V_ASN1_* constant.

The following functions call ASN1_STRING_free.

The following functions parse up to len bytes from *inp as a DER-encoded ASN.1 value of the corresponding type, as described in d2i_SAMPLE.

The following functions marshal in as a DER-encoded ASN.1 value of the corresponding type, as described in i2d_SAMPLE.

The following ASN1_ITEMs have the ASN.1 type referred to in their name and C type ASN1_STRING*. The C type may also be written as the corresponding typedef.

ASN1_OCTET_STRING_dup calls ASN1_STRING_dup.

ASN1_OCTET_STRING_cmp calls ASN1_STRING_cmp.

ASN1_OCTET_STRING_set calls ASN1_STRING_set.

ASN1_STRING_to_UTF8 converts in to UTF-8. On success, sets *out to a newly-allocated buffer containing the resulting string and returns the length of the string. The caller must call OPENSSL_free to release *out when done. On error, it returns a negative number.

The following formats define encodings for use with functions like ASN1_mbstring_copy. Note MBSTRING_ASC refers to Latin-1, not ASCII.

DIRSTRING_TYPE contains the valid string types in an X.509 DirectoryString.

PKCS9STRING_TYPE contains the valid string types in a PKCS9String.

ASN1_mbstring_copy converts len bytes from in to an ASN.1 string. If len is -1, in must be NUL-terminated and the length is determined by strlen. in is decoded according to inform, which must be one of MBSTRING_*. mask determines the set of valid output types and is a bitmask containing a subset of B_ASN1_PRINTABLESTRING, B_ASN1_IA5STRING, B_ASN1_T61STRING, B_ASN1_BMPSTRING, B_ASN1_UNIVERSALSTRING, and B_ASN1_UTF8STRING, in that preference order. This function chooses the first output type in mask which can represent in. It interprets T61String as Latin-1, rather than T.61.

If mask is zero, DIRSTRING_TYPE is used by default.

On success, this function returns the V_ASN1_* constant corresponding to the selected output type and, if out and *out are both non-NULL, updates the object at *out with the result. If out is non-NULL and *out is NULL, it instead sets *out to a newly-allocated ASN1_STRING containing the result. If out is NULL, it returns the selected output type without constructing an ASN1_STRING. On error, this function returns -1.

ASN1_mbstring_ncopy behaves like ASN1_mbstring_copy but returns an error if the input is less than minsize or greater than maxsize codepoints long. A maxsize value of zero is ignored. Note the sizes are measured in codepoints, not output bytes.

ASN1_STRING_set_by_NID behaves like ASN1_mbstring_ncopy, but determines mask, minsize, and maxsize based on nid. When nid is a recognized X.509 attribute type, it will pick a suitable ASN.1 string type and bounds. For most attribute types, it preferentially chooses UTF8String. If nid is unrecognized, it uses UTF8String by default.

Slightly unlike ASN1_mbstring_ncopy, this function interprets out and returns its result as follows: If out is NULL, it returns a newly-allocated ASN1_STRING containing the result. If out is non-NULL and *out is NULL, it additionally sets *out to the result. If both out and *out are non-NULL, it instead updates the object at *out and returns *out. In all cases, it returns NULL on error.

This function supports the following NIDs: NID_countryName, NID_dnQualifier, NID_domainComponent, NID_friendlyName, NID_givenName, NID_initials, NID_localityName, NID_ms_csp_name, NID_name, NID_organizationalUnitName, NID_organizationName, NID_pkcs9_challengePassword, NID_pkcs9_emailAddress, NID_pkcs9_unstructuredAddress, NID_pkcs9_unstructuredName, NID_serialNumber, NID_stateOrProvinceName, and NID_surname. Additional NIDs may be registered with ASN1_STRING_set_by_NID, but it is recommended to call ASN1_mbstring_ncopy directly instead.

STABLE_NO_MASK causes ASN1_STRING_TABLE_add to allow types other than UTF8String.

ASN1_STRING_TABLE_add registers the corresponding parameters with nid, for use with ASN1_STRING_set_by_NID. It returns one on success and zero on error. It is an error to call this function if nid is a built-in NID, or was already registered by a previous call.

WARNING: This function affects global state in the library. If two libraries in the same address space register information for the same OID, one call will fail. Prefer directly passing the desired parametrs to ASN1_mbstring_copy or ASN1_mbstring_ncopy instead.

B_ASN1_DIRECTORYSTRING is a bitmask of types allowed in an X.509 DirectoryString (RFC 5280).

DIRECTORYSTRING_new returns a newly-allocated ASN1_STRING with type -1, or NULL on error. The resulting ASN1_STRING is not a valid X.509 DirectoryString until initialized with a value.

DIRECTORYSTRING_free calls ASN1_STRING_free.

d2i_DIRECTORYSTRING parses up to len bytes from *inp as a DER-encoded X.509 DirectoryString (RFC 5280), as described in d2i_SAMPLE.

TODO(https://crbug.com/boringssl/354): This function currently also accepts BER, but this will be removed in the future.

TODO(https://crbug.com/boringssl/449): DirectoryString's non-empty string requirement is not currently enforced.

i2d_DIRECTORYSTRING marshals in as a DER-encoded X.509 DirectoryString (RFC 5280), as described in i2d_SAMPLE.

DIRECTORYSTRING is an ASN1_ITEM whose ASN.1 type is X.509 DirectoryString (RFC 5280) and C type is ASN1_STRING*.

B_ASN1_DISPLAYTEXT is a bitmask of types allowed in an X.509 DisplayText (RFC 5280).

DISPLAYTEXT_new returns a newly-allocated ASN1_STRING with type -1, or NULL on error. The resulting ASN1_STRING is not a valid X.509 DisplayText until initialized with a value.

DISPLAYTEXT_free calls ASN1_STRING_free.

d2i_DISPLAYTEXT parses up to len bytes from *inp as a DER-encoded X.509 DisplayText (RFC 5280), as described in d2i_SAMPLE.

TODO(https://crbug.com/boringssl/354): This function currently also accepts BER, but this will be removed in the future.

TODO(https://crbug.com/boringssl/449): DisplayText's size limits are not currently enforced.

i2d_DISPLAYTEXT marshals in as a DER-encoded X.509 DisplayText (RFC 5280), as described in i2d_SAMPLE.

DISPLAYTEXT is an ASN1_ITEM whose ASN.1 type is X.509 DisplayText (RFC 5280) and C type is ASN1_STRING*.

ASN1_BIT_STRING_new calls ASN1_STRING_type_new with V_ASN1_BIT_STRING.

ASN1_BIT_STRING_free calls ASN1_STRING_free.

d2i_ASN1_BIT_STRING parses up to len bytes from *inp as a DER-encoded ASN.1 BIT STRING, as described in d2i_SAMPLE.

i2d_ASN1_BIT_STRING marshals in as a DER-encoded ASN.1 BIT STRING, as described in i2d_SAMPLE.

c2i_ASN1_BIT_STRING decodes len bytes from *inp as the contents of a DER-encoded BIT STRING, excluding the tag and length. It behaves like d2i_SAMPLE except, on success, it always consumes all len bytes.

i2c_ASN1_BIT_STRING encodes in as the contents of a DER-encoded BIT STRING, excluding the tag and length. If outp is non-NULL, it writes the result to *outp, advances *outp just past the output, and returns the number of bytes written. *outp must have space available for the result. If outp is NULL, it returns the number of bytes without writing anything. On error, it returns a value <= 0.

Note this function differs slightly from i2d_SAMPLE. If outp is non-NULL and *outp is NULL, it does not allocate a new buffer.

TODO(davidben): This function currently returns zero on error instead of -1, but it is also mostly infallible. I've currently documented <= 0 to suggest callers work with both.

ASN1_BIT_STRING is an ASN1_ITEM with ASN.1 type BIT STRING and C type ASN1_BIT_STRING*.

ASN1_BIT_STRING_num_bytes computes the length of str in bytes. If str's bit length is a multiple of 8, it sets *out to the byte length and returns one. Otherwise, it returns zero.

This function may be used with ASN1_STRING_get0_data to interpret str as a byte string.

ASN1_BIT_STRING_set calls ASN1_STRING_set. It leaves flags unchanged, so the caller must set the number of unused bits.

TODO(davidben): Maybe it should? Wrapping a byte string in a bit string is a common use case.

ASN1_BIT_STRING_set_bit sets bit n of str to one if value is non-zero and zero if value is zero, resizing str as needed. It then truncates trailing zeros in str to align with the DER represention for a bit string with named bits. It returns one on success and zero on error. n is indexed beginning from zero.

ASN1_BIT_STRING_get_bit returns one if bit n of a is in bounds and set, and zero otherwise. n is indexed beginning from zero.

ASN1_BIT_STRING_check returns one if str only contains bits that are set in the flags_len bytes pointed by flags. Otherwise it returns zero. Bits in flags are arranged according to the DER representation, so bit 0 corresponds to the MSB of flags[0].

ASN1_INTEGER_new calls ASN1_STRING_type_new with V_ASN1_INTEGER. The resulting object has value zero.

ASN1_INTEGER_free calls ASN1_STRING_free.

ASN1_INTEGER_dup calls ASN1_STRING_dup.

d2i_ASN1_INTEGER parses up to len bytes from *inp as a DER-encoded ASN.1 INTEGER, as described in d2i_SAMPLE.

i2d_ASN1_INTEGER marshals in as a DER-encoded ASN.1 INTEGER, as described in i2d_SAMPLE.

c2i_ASN1_INTEGER decodes len bytes from *inp as the contents of a DER-encoded INTEGER, excluding the tag and length. It behaves like d2i_SAMPLE except, on success, it always consumes all len bytes.

i2c_ASN1_INTEGER encodes in as the contents of a DER-encoded INTEGER, excluding the tag and length. If outp is non-NULL, it writes the result to *outp, advances *outp just past the output, and returns the number of bytes written. *outp must have space available for the result. If outp is NULL, it returns the number of bytes without writing anything. On error, it returns a value <= 0.

Note this function differs slightly from i2d_SAMPLE. If outp is non-NULL and *outp is NULL, it does not allocate a new buffer.

TODO(davidben): This function currently returns zero on error instead of -1, but it is also mostly infallible. I've currently documented <= 0 to suggest callers work with both.

ASN1_INTEGER is an ASN1_ITEM with ASN.1 type INTEGER and C type ASN1_INTEGER*.

ASN1_INTEGER_set_uint64 sets a to an INTEGER with value v. It returns one on success and zero on error.

ASN1_INTEGER_set_int64 sets a to an INTEGER with value v. It returns one on success and zero on error.

ASN1_INTEGER_get_uint64 converts a to a uint64_t. On success, it returns one and sets *out to the result. If a did not fit or has the wrong type, it returns zero.

ASN1_INTEGER_get_int64 converts a to a int64_t. On success, it returns one and sets *out to the result. If a did not fit or has the wrong type, it returns zero.

BN_to_ASN1_INTEGER sets ai to an INTEGER with value bn and returns ai on success or NULL or error. If ai is NULL, it returns a newly-allocated ASN1_INTEGER on success instead, which the caller must release with ASN1_INTEGER_free.

ASN1_INTEGER_to_BN sets bn to the value of ai and returns bn on success or NULL or error. If bn is NULL, it returns a newly-allocated BIGNUM on success instead, which the caller must release with BN_free.

ASN1_INTEGER_cmp compares the values of x and y. It returns an integer equal to, less than, or greater than zero if x is equal to, less than, or greater than y, respectively.

ASN1_ENUMERATED_new calls ASN1_STRING_type_new with V_ASN1_ENUMERATED. The resulting object has value zero.

ASN1_ENUMERATED_free calls ASN1_STRING_free.

d2i_ASN1_ENUMERATED parses up to len bytes from *inp as a DER-encoded ASN.1 ENUMERATED, as described in d2i_SAMPLE.

i2d_ASN1_ENUMERATED marshals in as a DER-encoded ASN.1 ENUMERATED, as described in i2d_SAMPLE.

ASN1_ENUMERATED is an ASN1_ITEM with ASN.1 type ENUMERATED and C type ASN1_ENUMERATED*.

ASN1_ENUMERATED_set_uint64 sets a to an ENUMERATED with value v. It returns one on success and zero on error.

ASN1_ENUMERATED_set_int64 sets a to an ENUMERATED with value v. It returns one on success and zero on error.

ASN1_ENUMERATED_get_uint64 converts a to a uint64_t. On success, it returns one and sets *out to the result. If a did not fit or has the wrong type, it returns zero.

ASN1_ENUMERATED_get_int64 converts a to a int64_t. On success, it returns one and sets *out to the result. If a did not fit or has the wrong type, it returns zero.

BN_to_ASN1_ENUMERATED sets ai to an ENUMERATED with value bn and returns ai on success or NULL or error. If ai is NULL, it returns a newly-allocated ASN1_ENUMERATED on success instead, which the caller must release with ASN1_ENUMERATED_free.

ASN1_ENUMERATED_to_BN sets bn to the value of ai and returns bn on success or NULL or error. If bn is NULL, it returns a newly-allocated BIGNUM on success instead, which the caller must release with BN_free.

ASN1_UTCTIME_new calls ASN1_STRING_type_new with V_ASN1_UTCTIME. The resulting object contains empty contents and must be initialized to be a valid UTCTime.

ASN1_UTCTIME_free calls ASN1_STRING_free.

d2i_ASN1_UTCTIME parses up to len bytes from *inp as a DER-encoded ASN.1 UTCTime, as described in d2i_SAMPLE.

TODO(https://crbug.com/boringssl/354): This function currently also accepts BER, but this will be removed in the future.

i2d_ASN1_UTCTIME marshals in as a DER-encoded ASN.1 UTCTime, as described in i2d_SAMPLE.

ASN1_UTCTIME is an ASN1_ITEM with ASN.1 type UTCTime and C type ASN1_UTCTIME*.

ASN1_UTCTIME_check returns one if a is a valid UTCTime and zero otherwise.

ASN1_UTCTIME_set represents posix_time as a UTCTime and writes the result to s. It returns s on success and NULL on error. If s is NULL, it returns a newly-allocated ASN1_UTCTIME instead.

Note this function may fail if the time is out of range for UTCTime.

ASN1_UTCTIME_adj adds offset_day days and offset_sec seconds to posix_time and writes the result to s as a UTCTime. It returns s on success and NULL on error. If s is NULL, it returns a newly-allocated ASN1_UTCTIME instead.

Note this function may fail if the time overflows or is out of range for UTCTime.

ASN1_UTCTIME_set_string sets s to a UTCTime whose contents are a copy of str. It returns one on success and zero on error or if str is not a valid UTCTime.

If s is NULL, this function validates str without copying it.

ASN1_UTCTIME_cmp_time_t compares s to t. It returns -1 if s < t, 0 if they are equal, 1 if s > t, and -2 on error.

ASN1_GENERALIZEDTIME_new calls ASN1_STRING_type_new with V_ASN1_GENERALIZEDTIME. The resulting object contains empty contents and must be initialized to be a valid GeneralizedTime.

ASN1_GENERALIZEDTIME_free calls ASN1_STRING_free.

d2i_ASN1_GENERALIZEDTIME parses up to len bytes from *inp as a DER-encoded ASN.1 GeneralizedTime, as described in d2i_SAMPLE.

i2d_ASN1_GENERALIZEDTIME marshals in as a DER-encoded ASN.1 GeneralizedTime, as described in i2d_SAMPLE.

ASN1_GENERALIZEDTIME is an ASN1_ITEM with ASN.1 type GeneralizedTime and C type ASN1_GENERALIZEDTIME*.

ASN1_GENERALIZEDTIME_check returns one if a is a valid GeneralizedTime and zero otherwise.

ASN1_GENERALIZEDTIME_set represents posix_time as a GeneralizedTime and writes the result to s. It returns s on success and NULL on error. If s is NULL, it returns a newly-allocated ASN1_GENERALIZEDTIME instead.

Note this function may fail if the time is out of range for GeneralizedTime.

ASN1_GENERALIZEDTIME_adj adds offset_day days and offset_sec seconds to posix_time and writes the result to s as a GeneralizedTime. It returns s on success and NULL on error. If s is NULL, it returns a newly-allocated ASN1_GENERALIZEDTIME instead.

Note this function may fail if the time overflows or is out of range for GeneralizedTime.

ASN1_GENERALIZEDTIME_set_string sets s to a GeneralizedTime whose contents are a copy of str. It returns one on success and zero on error or if str is not a valid GeneralizedTime.

If s is NULL, this function validates str without copying it.

B_ASN1_TIME is a bitmask of types allowed in an X.509 Time.

ASN1_TIME_new returns a newly-allocated ASN1_TIME with type -1, or NULL on error. The resulting ASN1_TIME is not a valid X.509 Time until initialized with a value.

ASN1_TIME_free releases memory associated with str.

d2i_ASN1_TIME parses up to len bytes from *inp as a DER-encoded X.509 Time (RFC 5280), as described in d2i_SAMPLE.

TODO(https://crbug.com/boringssl/354): This function currently also accepts BER, but this will be removed in the future.

i2d_ASN1_TIME marshals in as a DER-encoded X.509 Time (RFC 5280), as described in i2d_SAMPLE.

ASN1_TIME is an ASN1_ITEM whose ASN.1 type is X.509 Time (RFC 5280) and C type is ASN1_TIME*.

ASN1_TIME_diff computes to - from. On success, it sets *out_days to the difference in days, rounded towards zero, sets *out_seconds to the remainder, and returns one. On error, it returns zero.

If from is before to, both outputs will be <= 0, with at least one negative. If from is after to, both will be >= 0, with at least one positive. If they are equal, ignoring fractional seconds, both will be zero.

Note this function may fail on overflow, or if from or to cannot be decoded.

ASN1_TIME_set_posix represents posix_time as a GeneralizedTime or UTCTime and writes the result to s. As in RFC 5280, section 4.1.2.5, it uses UTCTime when the time fits and GeneralizedTime otherwise. It returns s on success and NULL on error. If s is NULL, it returns a newly-allocated ASN1_TIME instead.

Note this function may fail if the time is out of range for GeneralizedTime.

ASN1_TIME_set is exactly the same as ASN1_TIME_set_posix but with a time_t as input for compatibility.

ASN1_TIME_adj adds offset_day days and offset_sec seconds to posix_time and writes the result to s. As in RFC 5280, section 4.1.2.5, it uses UTCTime when the time fits and GeneralizedTime otherwise. It returns s on success and NULL on error. If s is NULL, it returns a newly-allocated ASN1_GENERALIZEDTIME instead.

Note this function may fail if the time overflows or is out of range for GeneralizedTime.

ASN1_TIME_check returns one if t is a valid UTCTime or GeneralizedTime, and zero otherwise. t's type determines which check is performed. This function does not enforce that UTCTime was used when possible.

ASN1_TIME_to_generalizedtime converts t to a GeneralizedTime. If out is NULL, it returns a newly-allocated ASN1_GENERALIZEDTIME on success, or NULL on error. If out is non-NULL and *out is NULL, it additionally sets *out to the result. If out and *out are non-NULL, it instead updates the object pointed by *out and returns *out on success or NULL on error.

ASN1_TIME_set_string behaves like ASN1_UTCTIME_set_string if str is a valid UTCTime, and ASN1_GENERALIZEDTIME_set_string if str is a valid GeneralizedTime. If str is neither, it returns zero.

ASN1_TIME_set_string_X509 behaves like ASN1_TIME_set_string except it additionally converts GeneralizedTime to UTCTime if it is in the range where UTCTime is used. See RFC 5280, section 4.1.2.5.

ASN1_TIME_to_time_t converts t to a time_t value in out. On success, one is returned. On failure zero is returned. This function will fail if the time can not be represented in a time_t.

ASN1_TIME_to_posix converts t to a POSIX time value in out. On success, one is returned. On failure zero is returned.

TODO(davidben): Expand and document function prototypes generated in macros.

ASN1_NULL_new returns an opaque, non-NULL pointer. It is safe to call ASN1_NULL_free on the result, but not necessary.

ASN1_NULL_free does nothing.

d2i_ASN1_NULL parses a DER-encoded ASN.1 NULL value from up to len bytes at *inp, as described in d2i_SAMPLE.

i2d_ASN1_NULL marshals in as a DER-encoded ASN.1 NULL value, as described in i2d_SAMPLE.

ASN1_NULL is an ASN1_ITEM with ASN.1 type NULL and C type ASN1_NULL*.

ASN1_OBJECT_create returns a newly-allocated ASN1_OBJECT with len bytes from data as the encoded OID, or NULL on error. data should contain the DER-encoded identifier, excluding the tag and length.

nid should be NID_undef. Passing a NID value that does not match data will cause some functions to misbehave. sn and ln should be NULL. If non-NULL, they are stored as short and long names, respectively, but these values have no effect for ASN1_OBJECTs created through this function.

TODO(davidben): Should we just ignore all those parameters? NIDs and names are only relevant for ASN1_OBJECTs in the obj.h table.

ASN1_OBJECT_free releases memory associated with a. If a is a static ASN1_OBJECT, returned from OBJ_nid2obj, this function does nothing.

d2i_ASN1_OBJECT parses a DER-encoded ASN.1 OBJECT IDENTIFIER from up to len bytes at *inp, as described in d2i_SAMPLE.

i2d_ASN1_OBJECT marshals in as a DER-encoded ASN.1 OBJECT IDENTIFIER, as described in i2d_SAMPLE.

c2i_ASN1_OBJECT decodes len bytes from *inp as the contents of a DER-encoded OBJECT IDENTIFIER, excluding the tag and length. It behaves like d2i_SAMPLE except, on success, it always consumes all len bytes.

ASN1_OBJECT is an ASN1_ITEM with ASN.1 type OBJECT IDENTIFIER and C type ASN1_OBJECT*.

An asn1_type_st (aka ASN1_TYPE) represents an arbitrary ASN.1 element, typically used for ANY types. It contains a type field and a value union dependent on type.

WARNING: This struct has a complex representation. Callers must not construct ASN1_TYPE values manually. Use ASN1_TYPE_set and ASN1_TYPE_set1 instead. Additionally, callers performing non-trivial operations on this type are encouraged to use CBS and CBB from <openssl/bytestring.h>, and convert to or from ASN1_TYPE with d2i_ASN1_TYPE or i2d_ASN1_TYPE.

The type field corresponds to the tag of the ASN.1 element being represented:

If type is a V_ASN1_* constant for an ASN.1 string-like type, as defined by ASN1_STRING, the tag matches the constant. value contains an ASN1_STRING pointer (equivalently, one of the more specific typedefs). See ASN1_STRING for details on the representation. Unlike ASN1_STRING, ASN1_TYPE does not use the V_ASN1_NEG flag for negative INTEGER and ENUMERATE values. For a negative value, the ASN1_TYPE's type will be V_ASN1_INTEGER or V_ASN1_ENUMERATED, but value will an ASN1_STRING whose type is V_ASN1_NEG_INTEGER or V_ASN1_NEG_ENUMERATED.

If type is V_ASN1_OBJECT, the tag is OBJECT IDENTIFIER and value contains an ASN1_OBJECT pointer.

If type is V_ASN1_NULL, the tag is NULL. value contains a NULL pointer.

If type is V_ASN1_BOOLEAN, the tag is BOOLEAN. value contains an ASN1_BOOLEAN.

If type is V_ASN1_SEQUENCE, V_ASN1_SET, or V_ASN1_OTHER, the tag is SEQUENCE, SET, or some arbitrary tag, respectively. value uses the corresponding ASN1_STRING representation. Although any type may be represented in V_ASN1_OTHER, the parser will always return the more specific encoding when available.

Other values of type do not represent a valid ASN.1 value, though default-constructed objects may set type to -1. Such objects cannot be serialized.

ASN1_TYPE_new returns a newly-allocated ASN1_TYPE, or NULL on allocation failure. The resulting object has type -1 and must be initialized to be a valid ANY value.

ASN1_TYPE_free releases memory associated with a.

d2i_ASN1_TYPE parses up to len bytes from *inp as an ASN.1 value of any type, as described in d2i_SAMPLE. Note this function only validates primitive, universal types supported by this library. Values of type V_ASN1_SEQUENCE, V_ASN1_SET, V_ASN1_OTHER, or an unsupported primitive type must be validated by the caller when interpreting.

TODO(https://crbug.com/boringssl/354): This function currently also accepts BER, but this will be removed in the future.

i2d_ASN1_TYPE marshals in as DER, as described in i2d_SAMPLE.

ASN1_ANY is an ASN1_ITEM with ASN.1 type ANY and C type ASN1_TYPE*. Note the ASN1_ITEM name and C type do not match.

ASN1_TYPE_get returns the type of a, which will be one of the V_ASN1_* constants, or zero if a is not fully initialized.

ASN1_TYPE_set sets a to an ASN1_TYPE of type type and value value, releasing the previous contents of a.

If type is V_ASN1_BOOLEAN, a is set to FALSE if value is NULL and TRUE otherwise. If setting a to TRUE, value may be an invalid pointer, such as (void*)1.

If type is V_ASN1_NULL, value must be NULL.

For other values of type, this function takes ownership of value, which must point to an object of the corresponding type. See ASN1_TYPE for details.

ASN1_TYPE_set1 behaves like ASN1_TYPE_set except it does not take ownership of value. It returns one on success and zero on error.

ASN1_TYPE_cmp returns zero if a and b are equal and some non-zero value otherwise. Note this function can only be used for equality checks, not an ordering.

d2i_ASN1_SEQUENCE_ANY parses up to len bytes from *inp as a DER-encoded ASN.1 SEQUENCE OF ANY structure, as described in d2i_SAMPLE. The resulting ASN1_SEQUENCE_ANY owns its contents and thus must be released with sk_ASN1_TYPE_pop_free and ASN1_TYPE_free, not sk_ASN1_TYPE_free.

TODO(https://crbug.com/boringssl/354): This function currently also accepts BER, but this will be removed in the future.

i2d_ASN1_SEQUENCE_ANY marshals in as a DER-encoded SEQUENCE OF ANY structure, as described in i2d_SAMPLE.

d2i_ASN1_SET_ANY parses up to len bytes from *inp as a DER-encoded ASN.1 SET OF ANY structure, as described in d2i_SAMPLE. The resulting ASN1_SEQUENCE_ANY owns its contents and thus must be released with sk_ASN1_TYPE_pop_free and ASN1_TYPE_free, not sk_ASN1_TYPE_free.

TODO(https://crbug.com/boringssl/354): This function currently also accepts BER, but this will be removed in the future.

i2d_ASN1_SET_ANY marshals in as a DER-encoded SET OF ANY structure, as described in i2d_SAMPLE.

ASN1_UTCTIME_print writes a human-readable representation of a to out. It returns one on success and zero on error.

ASN1_GENERALIZEDTIME_print writes a human-readable representation of a to out. It returns one on success and zero on error.

ASN1_TIME_print writes a human-readable representation of a to out. It returns one on success and zero on error.

ASN1_STRING_print writes a human-readable representation of str to out. It returns one on success and zero on error. Unprintable characters are replaced with '.'.

The following flags must not collide with XN_FLAG_*.

ASN1_STRFLGS_ESC_2253 causes characters to be escaped as in RFC 2253, section 2.4.

ASN1_STRFLGS_ESC_CTRL causes all control characters to be escaped.

ASN1_STRFLGS_ESC_MSB causes all characters above 127 to be escaped.

ASN1_STRFLGS_ESC_QUOTE causes the string to be surrounded by quotes, rather than using backslashes, when characters are escaped. Fewer characters will require escapes in this case.

ASN1_STRFLGS_UTF8_CONVERT causes the string to be encoded as UTF-8, with each byte in the UTF-8 encoding treated as an individual character for purposes of escape sequences. If not set, each Unicode codepoint in the string is treated as a character, with wide characters escaped as "\Uxxxx" or "\Wxxxxxxxx". Note this can be ambiguous if ASN1_STRFLGS_ESC_* are all unset. In that case, backslashes are not escaped, but wide characters are.

ASN1_STRFLGS_IGNORE_TYPE causes the string type to be ignored. The ASN1_STRING in-memory representation will be printed directly.

ASN1_STRFLGS_SHOW_TYPE causes the string type to be included in the output.

ASN1_STRFLGS_DUMP_ALL causes all strings to be printed as a hexdump, using RFC 2253 hexstring notation, such as "#0123456789ABCDEF".

ASN1_STRFLGS_DUMP_UNKNOWN behaves like ASN1_STRFLGS_DUMP_ALL but only applies to values of unknown type. If unset, unknown values will print their contents as single-byte characters with escape sequences.

ASN1_STRFLGS_DUMP_DER causes hexdumped strings (as determined by ASN1_STRFLGS_DUMP_ALL or ASN1_STRFLGS_DUMP_UNKNOWN) to print the entire DER element as in RFC 2253, rather than only the contents of the ASN1_STRING.

ASN1_STRFLGS_RFC2253 causes the string to be escaped as in RFC 2253, additionally escaping control characters.

ASN1_STRING_print_ex writes a human-readable representation of str to out. It returns the number of bytes written on success and -1 on error. If out is NULL, it returns the number of bytes it would have written, without writing anything.

The flags should be a combination of combination of ASN1_STRFLGS_* constants. See the documentation for each flag for how it controls the output. If unsure, use ASN1_STRFLGS_RFC2253.

ASN1_STRING_print_ex_fp behaves like ASN1_STRING_print_ex but writes to a FILE rather than a BIO.

i2a_ASN1_INTEGER writes a human-readable representation of a to bp. It returns the number of bytes written on success, or a negative number on error. On error, this function may have written a partial output to bp.

i2a_ASN1_ENUMERATED writes a human-readable representation of a to bp. It returns the number of bytes written on success, or a negative number on error. On error, this function may have written a partial output to bp.

i2a_ASN1_OBJECT writes a human-readable representation of a to bp. It returns the number of bytes written on success, or a negative number on error. On error, this function may have written a partial output to bp.

i2a_ASN1_STRING writes a text representation of a's contents to bp. It returns the number of bytes written on success, or a negative number on error. On error, this function may have written a partial output to bp. type is ignored.

This function does not decode a into a Unicode string. It only hex-encodes the internal representation of a. This is suitable for printing an OCTET STRING, but may not be human-readable for any other string type.

i2t_ASN1_OBJECT calls OBJ_obj2txt with always_return_oid set to zero.

ASN1_get_object parses a BER element from up to max_len bytes at *inp. It returns V_ASN1_CONSTRUCTED if it successfully parsed a constructed element, zero if it successfully parsed a primitive element, and 0x80 on error. On success, it additionally advances *inp to the element body, sets *out_length, *out_tag, and *out_class to the element's length, tag number, and tag class, respectively,

Unlike OpenSSL, this function only supports DER. Indefinite and non-minimal lengths are rejected.

This function is difficult to use correctly. Use CBS_get_asn1 and related functions from bytestring.h.

ASN1_put_object writes the header for a DER or BER element to *outp and advances *outp by the number of bytes written. The caller is responsible for ensuring *outp has enough space for the output. The header describes an element with length length, tag number tag, and class xclass. xclass should be one of the V_ASN1_* tag class constants. The element is primitive if constructed is zero and constructed if it is one or two. If constructed is two, length is ignored and the element uses indefinite-length encoding.

Use CBB_add_asn1 instead.

ASN1_put_eoc writes two zero bytes to *outp, advances *outp to point past those bytes, and returns two.

Use definite-length encoding instead.

ASN1_object_size returns the number of bytes needed to encode a DER or BER value with length length and tag number tag, or -1 on error. tag should not include the constructed bit or tag class. If constructed is zero or one, the result uses a definite-length encoding with minimally-encoded length, as in DER. If constructed is two, the result uses BER indefinite-length encoding.

Use CBB_add_asn1 instead.

ASN1_STRING_set_default_mask does nothing.

ASN1_STRING_set_default_mask_asc returns one.

ASN1_STRING_get_default_mask returns B_ASN1_UTF8STRING.

ASN1_STRING_TABLE_cleanup does nothing.

M_ASN1_* are legacy aliases for various ASN1_STRING functions. Use the functions themselves.

B_ASN1_PRINTABLE is a bitmask for an ad-hoc subset of string-like types. Note the presence of B_ASN1_UNKNOWN means it includes types which ASN1_tag2bit maps to B_ASN1_UNKNOWN.

Do not use this. Despite the name, it has no connection to PrintableString or printable characters. See https://crbug.com/boringssl/412.

ASN1_PRINTABLE_new returns a newly-allocated ASN1_STRING with type -1, or NULL on error. The resulting ASN1_STRING is not a valid ASN.1 value until initialized with a value.

ASN1_PRINTABLE_free calls ASN1_STRING_free.

d2i_ASN1_PRINTABLE parses up to len bytes from *inp as a DER-encoded CHOICE of an ad-hoc subset of string-like types, as described in d2i_SAMPLE.

Do not use this. Despite, the name it has no connection to PrintableString or printable characters. See https://crbug.com/boringssl/412.

TODO(https://crbug.com/boringssl/354): This function currently also accepts BER, but this will be removed in the future.

i2d_ASN1_PRINTABLE marshals in as DER, as described in i2d_SAMPLE.

Do not use this. Despite the name, it has no connection to PrintableString or printable characters. See https://crbug.com/boringssl/412.

ASN1_PRINTABLE is an ASN1_ITEM whose ASN.1 type is a CHOICE of an ad-hoc subset of string-like types, and whose C type is ASN1_STRING*.

Do not use this. Despite the name, it has no connection to PrintableString or printable characters. See https://crbug.com/boringssl/412.

ASN1_INTEGER_set sets a to an INTEGER with value v. It returns one on success and zero on error.

Use ASN1_INTEGER_set_uint64 and ASN1_INTEGER_set_int64 instead.

ASN1_ENUMERATED_set sets a to an ENUMERATED with value v. It returns one on success and zero on error.

Use ASN1_ENUMERATED_set_uint64 and ASN1_ENUMERATED_set_int64 instead.

ASN1_INTEGER_get returns the value of a as a long, or -1 if a is out of range or the wrong type.

WARNING: This function's return value cannot distinguish errors from -1. Use ASN1_INTEGER_get_uint64 and ASN1_INTEGER_get_int64 instead.

ASN1_ENUMERATED_get returns the value of a as a long, or -1 if a is out of range or the wrong type.

WARNING: This function's return value cannot distinguish errors from -1. Use ASN1_ENUMERATED_get_uint64 and ASN1_ENUMERATED_get_int64 instead.