X509 is an ASN1_ITEM whose ASN.1 type is X.509 Certificate (RFC 5280) and C type is X509*.

X509_up_ref adds one to the reference count of x509 and returns one.

X509_chain_up_ref returns a newly-allocated STACK_OF(X509) containing a shallow copy of chain, or NULL on error. That is, the return value has the same contents as chain, and each X509's reference count is incremented by one.

X509_dup returns a newly-allocated copy of x509, or NULL on error. This function works by serializing the structure, so auxiliary properties (see i2d_X509_AUX) are not preserved. Additionally, if x509 is incomplete, this function may fail.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if crl was mutated.

X509_free decrements x509's reference count and, if zero, releases memory associated with x509.

d2i_X509 parses up to len bytes from *inp as a DER-encoded X.509 Certificate (RFC 5280), as described in d2i_SAMPLE.

X509_parse_from_buffer parses an X.509 structure from buf and returns a fresh X509 or NULL on error. There must not be any trailing data in buf. The returned structure (if any) holds a reference to buf rather than copying parts of it as a normal d2i_X509 call would do.

i2d_X509 marshals x509 as a DER-encoded X.509 Certificate (RFC 5280), as described in i2d_SAMPLE.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if x509 was mutated.

X509_VERSION_* are X.509 version numbers. Note the numerical values of all defined X.509 versions are one less than the named version.

X509_get_version returns the numerical value of x509's version, which will be one of the X509_VERSION_* constants.

X509_get0_serialNumber returns x509's serial number.

X509_get0_notBefore returns x509's notBefore time.

X509_get0_notAfter returns x509's notAfter time.

X509_get_issuer_name returns x509's issuer.

X509_get_subject_name returns x509's subject.

X509_get_X509_PUBKEY returns the public key of x509. Note this function is not const-correct for legacy reasons. Callers should not modify the returned object.

X509_get0_pubkey returns x509's public key as an EVP_PKEY, or NULL if the public key was unsupported or could not be decoded. The EVP_PKEY is cached in x509, so callers must not mutate the result.

X509_get_pubkey behaves like X509_get0_pubkey but increments the reference count on the EVP_PKEY. The caller must release the result with EVP_PKEY_free when done. The EVP_PKEY is cached in x509, so callers must not mutate the result.

X509_get0_pubkey_bitstr returns the BIT STRING portion of x509's public key. Note this does not contain the AlgorithmIdentifier portion.

WARNING: This function returns a non-const pointer for OpenSSL compatibility, but the caller must not modify the resulting object. Doing so will break internal invariants in x509.

X509_check_private_key returns one if x509's public key matches pkey and zero otherwise.

X509_get0_uids sets *out_issuer_uid to a non-owning pointer to the issuerUID field of x509, or NULL if x509 has no issuerUID. It similarly outputs x509's subjectUID field to *out_subject_uid.

Callers may pass NULL to either out_issuer_uid or out_subject_uid to ignore the corresponding field.

The following bits are returned from X509_get_extension_flags.

EXFLAG_BCONS indicates the certificate has a basic constraints extension.

EXFLAG_KUSAGE indicates the certifcate has a key usage extension.

EXFLAG_XKUSAGE indicates the certifcate has an extended key usage extension.

EXFLAG_CA indicates the certificate has a basic constraints extension with the CA bit set.

EXFLAG_SI indicates the certificate is self-issued, i.e. its subject and issuer names match.

EXFLAG_V1 indicates an X.509v1 certificate.

EXFLAG_INVALID indicates an error processing some extension. The certificate should not be accepted. Note the lack of this bit does not imply all extensions are valid, only those used to compute extension flags.

EXFLAG_SET is an internal bit that indicates extension flags were computed.

EXFLAG_CRITICAL indicates an unsupported critical extension. The certificate should not be accepted.

EXFLAG_SS indicates the certificate is likely self-signed. That is, if it is self-issued, its authority key identifier (if any) matches itself, and its key usage extension (if any) allows certificate signatures. The signature itself is not checked in computing this bit.

X509_get_extension_flags decodes a set of extensions from x509 and returns a collection of EXFLAG_* bits which reflect x509. If there was an error in computing this bitmask, the result will include the EXFLAG_INVALID bit.

X509_get_pathlen returns path length constraint from the basic constraints extension in x509. (See RFC 5280, section 4.2.1.9.) It returns -1 if the constraint is not present, or if some extension in x509 was invalid.

TODO(crbug.com/boringssl/381): Decoding an X509 object will not check for invalid extensions. To detect the error case, call X509_get_extension_flags and check the EXFLAG_INVALID bit.

X509v3_KU_* are key usage bits returned from X509_get_key_usage.

X509_get_key_usage returns a bitmask of key usages (see Section 4.2.1.3 of RFC 5280) which x509 is valid for. This function only reports the first 16 bits, in a little-endian byte order, but big-endian bit order. That is, bits 0 though 7 are reported at 1<<7 through 1<<0, and bits 8 through 15 are reported at 1<<15 through 1<<8.

Instead of depending on this bit order, callers should compare against the X509v3_KU_* constants.

If x509 has no key usage extension, all key usages are valid and this function returns UINT32_MAX. If there was an error processing x509's extensions, or if the first 16 bits in the key usage extension were all zero, this function returns zero.

XKU_* are extended key usage bits returned from X509_get_extended_key_usage.

X509_get_extended_key_usage returns a bitmask of extended key usages (see Section 4.2.1.12 of RFC 5280) which x509 is valid for. The result will be a combination of XKU_* constants. If checking an extended key usage not defined above, callers should extract the extended key usage extension separately, e.g. via X509_get_ext_d2i.

If x509 has no extended key usage extension, all extended key usages are valid and this function returns UINT32_MAX. If there was an error processing x509's extensions, or if x509's extended key usage extension contained no recognized usages, this function returns zero.

X509_get0_subject_key_id returns x509's subject key identifier, if present. (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not present or if some extension in x509 was invalid.

TODO(crbug.com/boringssl/381): Decoding an X509 object will not check for invalid extensions. To detect the error case, call X509_get_extension_flags and check the EXFLAG_INVALID bit.

X509_get0_authority_key_id returns keyIdentifier of x509's authority key identifier, if the extension and field are present. (See RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, if it is present but lacks a keyIdentifier field, or if some extension in x509 was invalid.

TODO(crbug.com/boringssl/381): Decoding an X509 object will not check for invalid extensions. To detect the error case, call X509_get_extension_flags and check the EXFLAG_INVALID bit.

X509_get0_authority_issuer returns the authorityCertIssuer of x509's authority key identifier, if the extension and field are present. (See RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, if it is present but lacks a authorityCertIssuer field, or if some extension in x509 was invalid.

TODO(crbug.com/boringssl/381): Decoding an X509 object will not check for invalid extensions. To detect the error case, call X509_get_extension_flags and check the EXFLAG_INVALID bit.

X509_get0_authority_serial returns the authorityCertSerialNumber of x509's authority key identifier, if the extension and field are present. (See RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, if it is present but lacks a authorityCertSerialNumber field, or if some extension in x509 was invalid.

TODO(crbug.com/boringssl/381): Decoding an X509 object will not check for invalid extensions. To detect the error case, call X509_get_extension_flags and check the EXFLAG_INVALID bit.

X509_get0_extensions returns x509's extension list, or NULL if x509 omits it.

X509_get_ext_count returns the number of extensions in x.

X509_get_ext_by_NID behaves like X509v3_get_ext_by_NID but searches for extensions in x.

X509_get_ext_by_OBJ behaves like X509v3_get_ext_by_OBJ but searches for extensions in x.

X509_get_ext_by_critical behaves like X509v3_get_ext_by_critical but searches for extensions in x.

X509_get_ext returns the extension in x at index loc, or NULL if loc is out of bounds. This function returns a non-const pointer for OpenSSL compatibility, but callers should not mutate the result.

X509_get_ext_d2i behaves like X509V3_get_d2i but looks for the extension in x509's extension list.

WARNING: This function is difficult to use correctly. See the documentation for X509V3_get_d2i for details.

X509_get0_tbs_sigalg returns the signature algorithm in x509's TBSCertificate. For the outer signature algorithm, see X509_get0_signature.

Certificates with mismatched signature algorithms will successfully parse, but they will be rejected when verifying.

X509_get0_signature sets *out_sig and *out_alg to the signature and signature algorithm of x509, respectively. Either output pointer may be NULL to ignore the value.

This function outputs the outer signature algorithm. For the one in the TBSCertificate, see X509_get0_tbs_sigalg. Certificates with mismatched signature algorithms will successfully parse, but they will be rejected when verifying.

X509_get_signature_nid returns the NID corresponding to x509's signature algorithm, or NID_undef if the signature algorithm does not correspond to a known NID.

i2d_X509_tbs serializes the TBSCertificate portion of x509, as described in i2d_SAMPLE.

This function preserves the original encoding of the TBSCertificate and may not reflect modifications made to x509. It may be used to manually verify the signature of an existing certificate. To generate certificates, use i2d_re_X509_tbs instead.

X509_verify checks that x509 has a valid signature by pkey. It returns one if the signature is valid and zero otherwise. Note this function only checks the signature itself and does not perform a full certificate validation.

X509_get1_email returns a newly-allocated list of NUL-terminated strings containing all email addresses in x509's subject and all rfc822name names in x509's subject alternative names. Email addresses which contain embedded NUL bytes are skipped.

On error, or if there are no such email addresses, it returns NULL. When done, the caller must release the result with X509_email_free.

X509_get1_ocsp returns a newly-allocated list of NUL-terminated strings containing all OCSP URIs in x509. That is, it collects all URI AccessDescriptions with an accessMethod of id-ad-ocsp in x509's authority information access extension. URIs which contain embedded NUL bytes are skipped.

On error, or if there are no such URIs, it returns NULL. When done, the caller must release the result with X509_email_free.

X509_email_free releases memory associated with sk, including sk itself. Each OPENSSL_STRING in sk must be a NUL-terminated string allocated with OPENSSL_malloc. If sk is NULL, no action is taken.

X509_cmp compares a and b and returns zero if they are equal, a negative number if b sorts after a and a negative number if a sorts after b. The sort order implemented by this function is arbitrary and does not reflect properties of the certificate such as expiry. Applications should not rely on the order itself.

TODO(https://crbug.com/boringssl/355): This function works by comparing a cached hash of the encoded certificate. If a or b could not be serialized, the current behavior is to compare all unencodable certificates as equal. This function should only be used with X509 objects that were parsed from bytes and never mutated.

TODO(https://crbug.com/boringssl/407): This function is const, but it is not always thread-safe, notably if a and b were mutated.

X509_new returns a newly-allocated, empty X509 object, or NULL on error. This produces an incomplete certificate which may be filled in to issue a new certificate.

X509_set_version sets x509's version to version, which should be one of the X509V_VERSION_* constants. It returns one on success and zero on error.

If unsure, use X509_VERSION_3.

X509_set_serialNumber sets x509's serial number to serial. It returns one on success and zero on error.

X509_set1_notBefore sets x509's notBefore time to tm. It returns one on success and zero on error.

X509_set1_notAfter sets x509's notAfter time to tm. it returns one on success and zero on error.

X509_getm_notBefore returns a mutable pointer to x509's notBefore time.

X509_getm_notAfter returns a mutable pointer to x509's notAfter time.

X509_set_issuer_name sets x509's issuer to a copy of name. It returns one on success and zero on error.

X509_set_subject_name sets x509's subject to a copy of name. It returns one on success and zero on error.

X509_set_pubkey sets x509's public key to pkey. It returns one on success and zero on error. This function does not take ownership of pkey and internally copies and updates reference counts as needed.

X509_delete_ext removes the extension in x at index loc and returns the removed extension, or NULL if loc was out of bounds. If non-NULL, the caller must release the result with X509_EXTENSION_free.

X509_add_ext adds a copy of ex to x. It returns one on success and zero on failure. The caller retains ownership of ex and can release it independently of x.

The new extension is inserted at index loc, shifting extensions to the right. If loc is -1 or out of bounds, the new extension is appended to the list.

X509_add1_ext_i2d behaves like X509V3_add1_i2d but adds the extension to x's extension list.

WARNING: This function may return zero or -1 on error. The caller must also ensure value's type matches nid. See the documentation for X509V3_add1_i2d for details.

X509_sign signs x509 with pkey and replaces the signature algorithm and signature fields. It returns the length of the signature on success and zero on error. This function uses digest algorithm md, or pkey's default if NULL. Other signing parameters use pkey's defaults. To customize them, use X509_sign_ctx.

X509_sign_ctx signs x509 with ctx and replaces the signature algorithm and signature fields. It returns the length of the signature on success and zero on error. The signature algorithm and parameters come from ctx, which must have been initialized with EVP_DigestSignInit. The caller should configure the corresponding EVP_PKEY_CTX before calling this function.

On success or failure, this function mutates ctx and resets it to the empty state. Caller should not rely on its contents after the function returns.

i2d_re_X509_tbs serializes the TBSCertificate portion of x509, as described in i2d_SAMPLE.

This function re-encodes the TBSCertificate and may not reflect x509's original encoding. It may be used to manually generate a signature for a new certificate. To verify certificates, use i2d_X509_tbs instead.

X509_set1_signature_algo sets x509's signature algorithm to algo and returns one on success or zero on error. It updates both the signature field of the TBSCertificate structure, and the signatureAlgorithm field of the Certificate.

X509_set1_signature_value sets x509's signature to a copy of the sig_len bytes pointed by sig. It returns one on success and zero on error.

Due to a specification error, X.509 certificates store signatures in ASN.1 BIT STRINGs, but signature algorithms return byte strings rather than bit strings. This function creates a BIT STRING containing a whole number of bytes, with the bit order matching the DER encoding. This matches the encoding used by all X.509 signature algorithms.

i2d_X509_AUX marshals x509 as a DER-encoded X.509 Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific structure with auxiliary properties. It behaves as described in i2d_SAMPLE.

Unlike similarly-named functions, this function does not output a single ASN.1 element. Directly embedding the output in a larger ASN.1 structure will not behave correctly.

TODO(crbug.com/boringssl/407): x509 should be const.

d2i_X509_AUX parses up to length bytes from *inp as a DER-encoded X.509 Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific structure with auxiliary properties. It behaves as described in d2i_SAMPLE.

WARNING: Passing untrusted input to this function allows an attacker to control auxiliary properties. This can allow unexpected influence over the application if the certificate is used in a context that reads auxiliary properties. This includes PKCS#12 serialization, trusted certificates in X509_STORE, and callers of X509_alias_get0 or X509_keyid_get0.

Unlike similarly-named functions, this function does not parse a single ASN.1 element. Trying to parse data directly embedded in a larger ASN.1 structure will not behave correctly.

X509_alias_set1 sets x509's alias to len bytes from name. If name is NULL, the alias is cleared instead. Aliases are not part of the certificate itself and will not be serialized by i2d_X509. If x509 is serialized in a PKCS#12 structure, the friendlyName attribute (RFC 2985) will contain this alias.

X509_keyid_set1 sets x509's key ID to len bytes from id. If id is NULL, the key ID is cleared instead. Key IDs are not part of the certificate itself and will not be serialized by i2d_X509.

X509_alias_get0 looks up x509's alias. If found, it sets *out_len to the alias's length and returns a pointer to a buffer containing the contents. If not found, it outputs the empty string by returning NULL and setting *out_len to zero.

If x509 was parsed from a PKCS#12 structure (see PKCS12_get_key_and_certs), the alias will reflect the friendlyName attribute (RFC 2985).

WARNING: In OpenSSL, this function did not set *out_len when the alias was missing. Callers that target both OpenSSL and BoringSSL should set the value to zero before calling this function.

X509_keyid_get0 looks up x509's key ID. If found, it sets *out_len to the key ID's length and returns a pointer to a buffer containing the contents. If not found, it outputs the empty string by returning NULL and setting *out_len to zero.

WARNING: In OpenSSL, this function did not set *out_len when the alias was missing. Callers that target both OpenSSL and BoringSSL should set the value to zero before calling this function.

X509_add1_trust_object configures x509 as a valid trust anchor for obj. It returns one on success and zero on error. obj should be a certificate usage OID associated with an X509_TRUST_* constant.

See X509_VERIFY_PARAM_set_trust for details on how this value is evaluated. Note this only takes effect if x509 was configured as a trusted certificate via X509_STORE.

X509_add1_reject_object configures x509 as distrusted for obj. It returns one on success and zero on error. obj should be a certificate usage OID associated with an X509_TRUST_* constant.

See X509_VERIFY_PARAM_set_trust for details on how this value is evaluated. Note this only takes effect if x509 was configured as a trusted certificate via X509_STORE.

X509_trust_clear clears the list of OIDs for which x509 is trusted. See also X509_add1_trust_object.

X509_reject_clear clears the list of OIDs for which x509 is distrusted. See also X509_add1_reject_object.

X509_CRL_up_ref adds one to the reference count of crl and returns one.

X509_CRL_dup returns a newly-allocated copy of crl, or NULL on error. This function works by serializing the structure, so if crl is incomplete, it may fail.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if crl was mutated.

X509_CRL_free decrements crl's reference count and, if zero, releases memory associated with crl.

d2i_X509_CRL parses up to len bytes from *inp as a DER-encoded X.509 CertificateList (RFC 5280), as described in d2i_SAMPLE.

i2d_X509_CRL marshals crl as a X.509 CertificateList (RFC 5280), as described in i2d_SAMPLE.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if crl was mutated.

X509_CRL_match compares a and b and returns zero if they are equal, a negative number if b sorts after a and a negative number if a sorts after b. The sort order implemented by this function is arbitrary and does not reflect properties of the CRL such as expiry. Applications should not rely on the order itself.

TODO(https://crbug.com/boringssl/355): This function works by comparing a cached hash of the encoded CRL. This cached hash is computed when the CRL is parsed, but not when mutating or issuing CRLs. This function should only be used with X509_CRL objects that were parsed from bytes and never mutated.

X509_CRL_get_version returns the numerical value of crl's version, which will be one of the X509_CRL_VERSION_* constants.

X509_CRL_get0_lastUpdate returns crl's thisUpdate time. The OpenSSL API refers to this field as lastUpdate.

X509_CRL_get0_nextUpdate returns crl's nextUpdate time, or NULL if crl has none.

X509_CRL_get_issuer returns crl's issuer name. Note this function is not const-correct for legacy reasons.

X509_CRL_get0_by_serial finds the entry in crl whose serial number is serial. If found, it sets *out to the entry and returns one. If not found, it returns zero.

On success, *out continues to be owned by crl. It is an error to free or otherwise modify *out.

TODO(crbug.com/boringssl/600): Ideally crl would be const. It is broadly thread-safe, but changes the order of entries in crl. It cannot be called concurrently with i2d_X509_CRL.

X509_CRL_get0_by_cert behaves like X509_CRL_get0_by_serial, except it looks for the entry that matches x509.

X509_CRL_get_REVOKED returns the list of revoked certificates in crl, or NULL if crl omits it.

TOOD(davidben): This function was originally a macro, without clear const semantics. It should take a const input and give const output, but the latter would break existing callers. For now, we match upstream.

X509_CRL_get0_extensions returns crl's extension list, or NULL if crl omits it. A CRL can have extensions on individual entries, which is X509_REVOKED_get0_extensions, or on the overall CRL, which is this function.

X509_CRL_get_ext_count returns the number of extensions in x.

X509_CRL_get_ext_by_NID behaves like X509v3_get_ext_by_NID but searches for extensions in x.

X509_CRL_get_ext_by_OBJ behaves like X509v3_get_ext_by_OBJ but searches for extensions in x.

X509_CRL_get_ext_by_critical behaves like X509v3_get_ext_by_critical but searches for extensions in x.

X509_CRL_get_ext returns the extension in x at index loc, or NULL if loc is out of bounds. This function returns a non-const pointer for OpenSSL compatibility, but callers should not mutate the result.

X509_CRL_get_ext_d2i behaves like X509V3_get_d2i but looks for the extension in crl's extension list.

WARNING: This function is difficult to use correctly. See the documentation for X509V3_get_d2i for details.

X509_CRL_get0_signature sets *out_sig and *out_alg to the signature and signature algorithm of crl, respectively. Either output pointer may be NULL to ignore the value.

This function outputs the outer signature algorithm, not the one in the TBSCertList. CRLs with mismatched signature algorithms will successfully parse, but they will be rejected when verifying.

X509_CRL_get_signature_nid returns the NID corresponding to crl's signature algorithm, or NID_undef if the signature algorithm does not correspond to a known NID.

i2d_X509_CRL_tbs serializes the TBSCertList portion of crl, as described in i2d_SAMPLE.

This function preserves the original encoding of the TBSCertList and may not reflect modifications made to crl. It may be used to manually verify the signature of an existing CRL. To generate CRLs, use i2d_re_X509_CRL_tbs instead.

X509_CRL_verify checks that crl has a valid signature by pkey. It returns one if the signature is valid and zero otherwise.

X509_CRL_new returns a newly-allocated, empty X509_CRL object, or NULL on error. This object may be filled in and then signed to construct a CRL.

X509_CRL_set_version sets crl's version to version, which should be one of the X509_CRL_VERSION_* constants. It returns one on success and zero on error.

If unsure, use X509_CRL_VERSION_2. Note that, unlike certificates, CRL versions are only defined up to v2. Callers should not use X509_VERSION_3.

X509_CRL_set_issuer_name sets crl's issuer to a copy of name. It returns one on success and zero on error.

X509_CRL_set1_lastUpdate sets crl's thisUpdate time to tm. It returns one on success and zero on error. The OpenSSL API refers to this field as lastUpdate.

X509_CRL_set1_nextUpdate sets crl's nextUpdate time to tm. It returns one on success and zero on error.

X509_CRL_add0_revoked adds rev to crl. On success, it takes ownership of rev and returns one. On error, it returns zero. If this function fails, the caller retains ownership of rev and must release it when done.

X509_CRL_sort sorts the entries in crl by serial number. It returns one on success and zero on error.

X509_CRL_delete_ext removes the extension in x at index loc and returns the removed extension, or NULL if loc was out of bounds. If non-NULL, the caller must release the result with X509_EXTENSION_free.

X509_CRL_add_ext adds a copy of ex to x. It returns one on success and zero on failure. The caller retains ownership of ex and can release it independently of x.

The new extension is inserted at index loc, shifting extensions to the right. If loc is -1 or out of bounds, the new extension is appended to the list.

X509_CRL_add1_ext_i2d behaves like X509V3_add1_i2d but adds the extension to x's extension list.

WARNING: This function may return zero or -1 on error. The caller must also ensure value's type matches nid. See the documentation for X509V3_add1_i2d for details.

X509_CRL_sign signs crl with pkey and replaces the signature algorithm and signature fields. It returns the length of the signature on success and zero on error. This function uses digest algorithm md, or pkey's default if NULL. Other signing parameters use pkey's defaults. To customize them, use X509_CRL_sign_ctx.

X509_CRL_sign_ctx signs crl with ctx and replaces the signature algorithm and signature fields. It returns the length of the signature on success and zero on error. The signature algorithm and parameters come from ctx, which must have been initialized with EVP_DigestSignInit. The caller should configure the corresponding EVP_PKEY_CTX before calling this function.

On success or failure, this function mutates ctx and resets it to the empty state. Caller should not rely on its contents after the function returns.

i2d_re_X509_CRL_tbs serializes the TBSCertList portion of crl, as described in i2d_SAMPLE.

This function re-encodes the TBSCertList and may not reflect crl's original encoding. It may be used to manually generate a signature for a new CRL. To verify CRLs, use i2d_X509_CRL_tbs instead.

X509_CRL_set1_signature_algo sets crl's signature algorithm to algo and returns one on success or zero on error. It updates both the signature field of the TBSCertList structure, and the signatureAlgorithm field of the CRL.

X509_CRL_set1_signature_value sets crl's signature to a copy of the sig_len bytes pointed by sig. It returns one on success and zero on error.

Due to a specification error, X.509 CRLs store signatures in ASN.1 BIT STRINGs, but signature algorithms return byte strings rather than bit strings. This function creates a BIT STRING containing a whole number of bytes, with the bit order matching the DER encoding. This matches the encoding used by all X.509 signature algorithms.

X509_REVOKED_new returns a newly-allocated, empty X509_REVOKED object, or NULL on allocation error.

X509_REVOKED_free releases memory associated with rev.

d2i_X509_REVOKED parses up to len bytes from *inp as a DER-encoded X.509 CRL entry, as described in d2i_SAMPLE.

i2d_X509_REVOKED marshals alg as a DER-encoded X.509 CRL entry, as described in i2d_SAMPLE.

X509_REVOKED_dup returns a newly-allocated copy of rev, or NULL on error. This function works by serializing the structure, so if rev is incomplete, it may fail.

X509_REVOKED_get0_serialNumber returns the serial number of the certificate revoked by revoked.

X509_REVOKED_set_serialNumber sets revoked's serial number to serial. It returns one on success or zero on error.

X509_REVOKED_get0_revocationDate returns the revocation time of the certificate revoked by revoked.

X509_REVOKED_set_revocationDate sets revoked's revocation time to tm. It returns one on success or zero on error.

X509_REVOKED_get0_extensions returns r's extensions list, or NULL if r omits it. A CRL can have extensions on individual entries, which is this function, or on the overall CRL, which is X509_CRL_get0_extensions.

X509_REVOKED_get_ext_by_NID behaves like X509v3_get_ext_by_NID but searches for extensions in x.

X509_REVOKED_get_ext_by_OBJ behaves like X509v3_get_ext_by_OBJ but searches for extensions in x.

X509_REVOKED_get_ext_by_critical behaves like X509v3_get_ext_by_critical but searches for extensions in x.

X509_REVOKED_get_ext returns the extension in x at index loc, or NULL if loc is out of bounds. This function returns a non-const pointer for OpenSSL compatibility, but callers should not mutate the result.

X509_REVOKED_delete_ext removes the extension in x at index loc and returns the removed extension, or NULL if loc was out of bounds. If non-NULL, the caller must release the result with X509_EXTENSION_free.

X509_REVOKED_add_ext adds a copy of ex to x. It returns one on success and zero on failure. The caller retains ownership of ex and can release it independently of x.

The new extension is inserted at index loc, shifting extensions to the right. If loc is -1 or out of bounds, the new extension is appended to the list.

X509_REVOKED_get_ext_d2i behaves like X509V3_get_d2i but looks for the extension in revoked's extension list.

WARNING: This function is difficult to use correctly. See the documentation for X509V3_get_d2i for details.

X509_REVOKED_add1_ext_i2d behaves like X509V3_add1_i2d but adds the extension to x's extension list.

WARNING: This function may return zero or -1 on error. The caller must also ensure value's type matches nid. See the documentation for X509V3_add1_i2d for details.

X509_REQ_dup returns a newly-allocated copy of req, or NULL on error. This function works by serializing the structure, so if req is incomplete, it may fail.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if req was mutated.

X509_REQ_free releases memory associated with req.

d2i_X509_REQ parses up to len bytes from *inp as a DER-encoded CertificateRequest (RFC 2986), as described in d2i_SAMPLE.

i2d_X509_REQ marshals req as a CertificateRequest (RFC 2986), as described in i2d_SAMPLE.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if req was mutated.

X509_REQ_VERSION_1 is the version constant for X509_REQ objects. No other versions are defined.

X509_REQ_get_version returns the numerical value of req's version. This will always be X509_REQ_VERSION_1 for valid CSRs. For compatibility, d2i_X509_REQ also accepts some invalid version numbers, in which case this function may return other values.

X509_REQ_get_subject_name returns req's subject name. Note this function is not const-correct for legacy reasons.

X509_REQ_get0_pubkey returns req's public key as an EVP_PKEY, or NULL if the public key was unsupported or could not be decoded. The EVP_PKEY is cached in req, so callers must not mutate the result.

X509_REQ_get_pubkey behaves like X509_REQ_get0_pubkey but increments the reference count on the EVP_PKEY. The caller must release the result with EVP_PKEY_free when done. The EVP_PKEY is cached in req, so callers must not mutate the result.

X509_REQ_check_private_key returns one if req's public key matches pkey and zero otherwise.

X509_REQ_get_attr_count returns the number of attributes in req.

X509_REQ_get_attr returns the attribute at index loc in req, or NULL if out of bounds.

X509_REQ_get_attr_by_NID returns the index of the attribute in req of type nid, or a negative number if not found. If found, callers can use X509_REQ_get_attr to look up the attribute by index.

If lastpos is non-negative, it begins searching at lastpos + 1. Callers can thus loop over all matching attributes by first passing -1 and then passing the previously-returned value until no match is returned.

X509_REQ_get_attr_by_OBJ behaves like X509_REQ_get_attr_by_NID but looks for attributes of type obj.

X509_REQ_extension_nid returns one if nid is a supported CSR attribute type for carrying extensions and zero otherwise. The supported types are NID_ext_req (pkcs-9-at-extensionRequest from RFC 2985) and NID_ms_ext_req (a Microsoft szOID_CERT_EXTENSIONS variant).

X509_REQ_get_extensions decodes the most preferred list of requested extensions in req and returns a newly-allocated STACK_OF(X509_EXTENSION) containing the result. It returns NULL on error, or if req did not request extensions.

CSRs do not store extensions directly. Instead there are attribute types which are defined to hold extensions. See X509_REQ_extension_nid. This function supports both pkcs-9-at-extensionRequest from RFC 2985 and the Microsoft szOID_CERT_EXTENSIONS variant. If both are present, pkcs-9-at-extensionRequest is preferred.

X509_REQ_get0_signature sets *out_sig and *out_alg to the signature and signature algorithm of req, respectively. Either output pointer may be NULL to ignore the value.

X509_REQ_get_signature_nid returns the NID corresponding to req's signature algorithm, or NID_undef if the signature algorithm does not correspond to a known NID.

X509_REQ_verify checks that req has a valid signature by pkey. It returns one if the signature is valid and zero otherwise.

X509_REQ_get1_email returns a newly-allocated list of NUL-terminated strings containing all email addresses in req's subject and all rfc822name names in req's subject alternative names. The subject alternative names extension is extracted from the result of X509_REQ_get_extensions. Email addresses which contain embedded NUL bytes are skipped.

On error, or if there are no such email addresses, it returns NULL. When done, the caller must release the result with X509_email_free.

X509_REQ_new returns a newly-allocated, empty X509_REQ object, or NULL on error. This object may be filled in and then signed to construct a CSR.

X509_REQ_set_version sets req's version to version, which should be X509_REQ_VERSION_1. It returns one on success and zero on error.

The only defined CSR version is X509_REQ_VERSION_1, so there is no need to call this function.

X509_REQ_set_subject_name sets req's subject to a copy of name. It returns one on success and zero on error.

X509_REQ_set_pubkey sets req's public key to pkey. It returns one on success and zero on error. This function does not take ownership of pkey and internally copies and updates reference counts as needed.

X509_REQ_delete_attr removes the attribute at index loc in req. It returns the removed attribute to the caller, or NULL if loc was out of bounds. If non-NULL, the caller must release the result with X509_ATTRIBUTE_free when done. It is also safe, but not necessary, to call X509_ATTRIBUTE_free if the result is NULL.

X509_REQ_add1_attr appends a copy of attr to req's list of attributes. It returns one on success and zero on error.

X509_REQ_add1_attr_by_OBJ appends a new attribute to req with type obj. It returns one on success and zero on error. The value is determined by X509_ATTRIBUTE_set1_data.

WARNING: The interpretation of attrtype, data, and len is complex and error-prone. See X509_ATTRIBUTE_set1_data for details.

X509_REQ_add1_attr_by_NID behaves like X509_REQ_add1_attr_by_OBJ except the attribute type is determined by nid.

X509_REQ_add1_attr_by_txt behaves like X509_REQ_add1_attr_by_OBJ except the attribute type is determined by calling OBJ_txt2obj with attrname.

X509_REQ_add_extensions_nid adds an attribute to req of type nid, to request the certificate extensions in exts. It returns one on success and zero on error. nid should be NID_ext_req or NID_ms_ext_req.

X509_REQ_add_extensions behaves like X509_REQ_add_extensions_nid, using the standard NID_ext_req for the attribute type.

X509_REQ_sign signs req with pkey and replaces the signature algorithm and signature fields. It returns the length of the signature on success and zero on error. This function uses digest algorithm md, or pkey's default if NULL. Other signing parameters use pkey's defaults. To customize them, use X509_REQ_sign_ctx.

X509_REQ_sign_ctx signs req with ctx and replaces the signature algorithm and signature fields. It returns the length of the signature on success and zero on error. The signature algorithm and parameters come from ctx, which must have been initialized with EVP_DigestSignInit. The caller should configure the corresponding EVP_PKEY_CTX before calling this function.

On success or failure, this function mutates ctx and resets it to the empty state. Caller should not rely on its contents after the function returns.

i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) portion of req, as described in i2d_SAMPLE.

This function re-encodes the CertificationRequestInfo and may not reflect req's original encoding. It may be used to manually generate a signature for a new certificate request.

X509_REQ_set1_signature_algo sets req's signature algorithm to algo and returns one on success or zero on error.

X509_REQ_set1_signature_value sets req's signature to a copy of the sig_len bytes pointed by sig. It returns one on success and zero on error.

Due to a specification error, PKCS#10 certificate requests store signatures in ASN.1 BIT STRINGs, but signature algorithms return byte strings rather than bit strings. This function creates a BIT STRING containing a whole number of bytes, with the bit order matching the DER encoding. This matches the encoding used by all X.509 signature algorithms.

X509_NAME is an ASN1_ITEM whose ASN.1 type is X.509 Name (RFC 5280) and C type is X509_NAME*.

X509_NAME_new returns a new, empty X509_NAME, or NULL on error.

X509_NAME_free releases memory associated with name.

d2i_X509_NAME parses up to len bytes from *inp as a DER-encoded X.509 Name (RFC 5280), as described in d2i_SAMPLE.

i2d_X509_NAME marshals in as a DER-encoded X.509 Name (RFC 5280), as described in i2d_SAMPLE.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if in was mutated.

X509_NAME_dup returns a newly-allocated copy of name, or NULL on error.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if name was mutated.

X509_NAME_cmp compares a and b's canonicalized forms. It returns zero if they are equal, one if a sorts after b, -1 if b sorts after a, and -2 on error.

TODO(https://crbug.com/boringssl/407): This function is const, but it is not always thread-safe, notably if name was mutated.

TODO(https://crbug.com/boringssl/355): The -2 return is very inconvenient to pass to a sorting function. Can we make this infallible? In the meantime, prefer to use this function only for equality checks rather than comparisons. Although even the library itself passes this to a sorting function.

X509_NAME_get0_der marshals name as a DER-encoded X.509 Name (RFC 5280). On success, it returns one and sets *out_der and *out_der_len to a buffer containing the result. Otherwise, it returns zero. *out_der is owned by name and must not be freed by the caller. It is invalidated after name is mutated or freed.

Avoid this function and prefer i2d_X509_NAME. It is one of the reasons X509_NAME functions, including this one, are not consistently thread-safe or const-correct. Depending on the resolution of https://crbug.com/boringssl/407, this function may be removed or cause poor performance.

X509_NAME_set makes a copy of name. On success, it frees *xn, sets *xn to the copy, and returns one. Otherwise, it returns zero.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if name was mutated.

X509_NAME_entry_count returns the number of entries in name.

X509_NAME_get_index_by_NID returns the zero-based index of the first attribute in name with type nid, or -1 if there is none. nid should be one of the NID_* constants. If lastpos is non-negative, it begins searching at lastpos+1. To search all attributes, pass in -1, not zero.

Indices from this function refer to X509_NAME's flattened representation.

X509_NAME_get_index_by_OBJ behaves like X509_NAME_get_index_by_NID but looks for attributes with type obj.

X509_NAME_get_entry returns the attribute in name at index loc, or NULL if loc is out of range. loc is interpreted using X509_NAME's flattened representation. This function returns a non-const pointer for OpenSSL compatibility, but callers should not mutate the result. Doing so will break internal invariants in the library.

X509_NAME_delete_entry removes and returns the attribute in name at index loc, or NULL if loc is out of range. loc is interpreted using X509_NAME's flattened representation. If the attribute is found, the caller is responsible for releasing the result with X509_NAME_ENTRY_free.

This function will internally update RDN indices (see X509_NAME_ENTRY_set) so they continue to be consecutive.

X509_NAME_add_entry adds a copy of entry to name and returns one on success or zero on error. If loc is -1, the entry is appended to name. Otherwise, it is inserted at index loc. If set is -1, the entry is added to the previous entry's RDN. If it is 0, the entry becomes a singleton RDN. If 1, it is added to next entry's RDN.

This function will internally update RDN indices (see X509_NAME_ENTRY_set) so they continue to be consecutive.

X509_NAME_add_entry_by_OBJ adds a new entry to name and returns one on success or zero on error. The entry's attribute type is obj. The entry's attribute value is determined by type, bytes, and len, as in X509_NAME_ENTRY_set_data. The entry's position is determined by loc and set as in X509_NAME_add_entry.

X509_NAME_add_entry_by_NID behaves like X509_NAME_add_entry_by_OBJ but sets the entry's attribute type to nid, which should be one of the NID_* constants.

X509_NAME_add_entry_by_txt behaves like X509_NAME_add_entry_by_OBJ but sets the entry's attribute type to field, which is passed to OBJ_txt2obj.

X509_NAME_ENTRY_new returns a new, empty X509_NAME_ENTRY, or NULL on error.

X509_NAME_ENTRY_free releases memory associated with entry.

X509_NAME_ENTRY_dup returns a newly-allocated copy of entry, or NULL on error.

X509_NAME_ENTRY_get_object returns entry's attribute type. This function returns a non-const pointer for OpenSSL compatibility, but callers should not mutate the result. Doing so will break internal invariants in the library.

X509_NAME_ENTRY_set_object sets entry's attribute type to obj. It returns one on success and zero on error.

X509_NAME_ENTRY_get_data returns entry's attribute value, represented as an ASN1_STRING. This value may have any ASN.1 type, so callers must check the type before interpreting the contents. This function returns a non-const pointer for OpenSSL compatibility, but callers should not mutate the result. Doing so will break internal invariants in the library.

TODO(https://crbug.com/boringssl/412): Although the spec says any ASN.1 type is allowed, we currently only allow an ad-hoc set of types. Additionally, it is unclear if some types can even be represented by this function.

X509_NAME_ENTRY_set_data sets entry's value to len bytes from bytes. It returns one on success and zero on error. If len is -1, bytes must be a NUL-terminated C string and the length is determined by strlen. bytes is converted to an ASN.1 type as follows:

If type is a MBSTRING_* constant, the value is an ASN.1 string. The string is determined by decoding bytes in the encoding specified by type, and then re-encoding it in a form appropriate for entry's attribute type. See ASN1_STRING_set_by_NID for details.

Otherwise, the value is an ASN1_STRING with type type and value bytes. See ASN1_STRING for how to format ASN.1 types as an ASN1_STRING. If type is V_ASN1_UNDEF the previous ASN1_STRING type is reused.

X509_NAME_ENTRY_set returns the zero-based index of the RDN which contains entry. Consecutive entries with the same index are part of the same RDN.

X509_NAME_ENTRY_create_by_OBJ creates a new X509_NAME_ENTRY with attribute type obj. The attribute value is determined from type, bytes, and len as in X509_NAME_ENTRY_set_data. It returns the X509_NAME_ENTRY on success and NULL on error.

If out is non-NULL and *out is NULL, it additionally sets *out to the result on success. If both out and *out are non-NULL, it updates the object at *out instead of allocating a new one.

X509_NAME_ENTRY_create_by_NID behaves like X509_NAME_ENTRY_create_by_OBJ except the attribute type is nid, which should be one of the NID_* constants.

X509_NAME_ENTRY_create_by_txt behaves like X509_NAME_ENTRY_create_by_OBJ except the attribute type is field, which is passed to OBJ_txt2obj.

X509_PUBKEY_new returns a newly-allocated, empty X509_PUBKEY object, or NULL on error.

X509_PUBKEY_free releases memory associated with key.

d2i_X509_PUBKEY parses up to len bytes from *inp as a DER-encoded SubjectPublicKeyInfo, as described in d2i_SAMPLE.

i2d_X509_PUBKEY marshals key as a DER-encoded SubjectPublicKeyInfo, as described in i2d_SAMPLE.

X509_PUBKEY_set serializes pkey into a newly-allocated X509_PUBKEY structure. On success, it frees *x if non-NULL, then sets *x to the new object, and returns one. Otherwise, it returns zero.

X509_PUBKEY_get0 returns key as an EVP_PKEY, or NULL if key either could not be parsed or is an unrecognized algorithm. The EVP_PKEY is cached in key, so callers must not mutate the result.

X509_PUBKEY_get behaves like X509_PUBKEY_get0 but increments the reference count on the EVP_PKEY. The caller must release the result with EVP_PKEY_free when done. The EVP_PKEY is cached in key, so callers must not mutate the result.

X509_PUBKEY_set0_param sets pub to a key with AlgorithmIdentifier determined by obj, param_type, and param_value, and an encoded public key of key. On success, it gives pub ownership of all the other parameters and returns one. Otherwise, it returns zero. key must have been allocated by OPENSSL_malloc. obj and, if applicable, param_value must not be freed after a successful call, and must have been allocated in a manner compatible with ASN1_OBJECT_free or ASN1_STRING_free.

obj, param_type, and param_value are interpreted as in X509_ALGOR_set0. See X509_ALGOR_set0 for details.

X509_PUBKEY_get0_param outputs fields of pub and returns one. If out_obj is not NULL, it sets *out_obj to AlgorithmIdentifier's OID. If out_key is not NULL, it sets *out_key and *out_key_len to the encoded public key. If out_alg is not NULL, it sets *out_alg to the AlgorithmIdentifier.

All pointers outputted by this function are internal to pub and must not be freed by the caller. Additionally, although some outputs are non-const, callers must not mutate the resulting objects.

Note: X.509 SubjectPublicKeyInfo structures store the encoded public key as a BIT STRING. *out_key and *out_key_len will silently pad the key with zero bits if pub did not contain a whole number of bytes. Use X509_PUBKEY_get0_public_key to preserve this information.

X509_PUBKEY_get0_public_key returns pub's encoded public key.

X509_EXTENSION is an ASN1_ITEM whose ASN.1 type is X.509 Extension (RFC 5280) and C type is X509_EXTENSION*.

X509_EXTENSION_new returns a newly-allocated, empty X509_EXTENSION object or NULL on error.

X509_EXTENSION_free releases memory associated with ex.

d2i_X509_EXTENSION parses up to len bytes from *inp as a DER-encoded X.509 Extension (RFC 5280), as described in d2i_SAMPLE.

i2d_X509_EXTENSION marshals ex as a DER-encoded X.509 Extension (RFC 5280), as described in i2d_SAMPLE.

X509_EXTENSION_dup returns a newly-allocated copy of ex, or NULL on error. This function works by serializing the structure, so if ex is incomplete, it may fail.

X509_EXTENSION_create_by_NID creates a new X509_EXTENSION with type nid, value data, and critical bit crit. It returns an X509_EXTENSION on success, and NULL on error. nid should be a NID_* constant.

If ex and *ex are both non-NULL, *ex is used to hold the result, otherwise a new object is allocated. If ex is non-NULL and *ex is NULL, the function sets *ex to point to the newly allocated result, in addition to returning the result.

X509_EXTENSION_create_by_OBJ behaves like X509_EXTENSION_create_by_NID, but the extension type is determined by an ASN1_OBJECT.

X509_EXTENSION_get_object returns ex's extension type. This function returns a non-const pointer for OpenSSL compatibility, but callers should not mutate the result.

X509_EXTENSION_get_data returns ne's extension value. This function returns a non-const pointer for OpenSSL compatibility, but callers should not mutate the result.

X509_EXTENSION_get_critical returns one if ex is critical and zero otherwise.

X509_EXTENSION_set_object sets ex's extension type to obj. It returns one on success and zero on error.

X509_EXTENSION_set_critical sets ex to critical if crit is non-zero and to non-critical if crit is zero.

X509_EXTENSION_set_data set's ex's extension value to a copy of data. It returns one on success and zero on error.

d2i_X509_EXTENSIONS parses up to len bytes from *inp as a DER-encoded SEQUENCE OF Extension (RFC 5280), as described in d2i_SAMPLE.

i2d_X509_EXTENSIONS marshals alg as a DER-encoded SEQUENCE OF Extension (RFC 5280), as described in i2d_SAMPLE.

X509v3_get_ext_count returns the number of extensions in x.

X509v3_get_ext_by_NID returns the index of the first extension in x with type nid, or a negative number if not found. If found, callers can use X509v3_get_ext to look up the extension by index.

If lastpos is non-negative, it begins searching at lastpos + 1. Callers can thus loop over all matching extensions by first passing -1 and then passing the previously-returned value until no match is returned.

X509v3_get_ext_by_OBJ behaves like X509v3_get_ext_by_NID but looks for extensions matching obj.

X509v3_get_ext_by_critical returns the index of the first extension in x whose critical bit matches crit, or a negative number if no such extension was found.

If lastpos is non-negative, it begins searching at lastpos + 1. Callers can thus loop over all matching extensions by first passing -1 and then passing the previously-returned value until no match is returned.

X509v3_get_ext returns the extension in x at index loc, or NULL if loc is out of bounds. This function returns a non-const pointer for OpenSSL compatibility, but callers should not mutate the result.

X509v3_delete_ext removes the extension in x at index loc and returns the removed extension, or NULL if loc was out of bounds. If an extension was returned, the caller must release it with X509_EXTENSION_free.

X509v3_add_ext adds a copy of ex to the extension list in *x. If *x is NULL, it allocates a new STACK_OF(X509_EXTENSION) to hold the copy and sets *x to the new list. It returns *x on success and NULL on error. The caller retains ownership of ex and can release it independently of *x.

The new extension is inserted at index loc, shifting extensions to the right. If loc is -1 or out of bounds, the new extension is appended to the list.

X509V3_EXT_d2i decodes ext and returns a pointer to a newly-allocated structure, with type dependent on the type of the extension. It returns NULL if ext is an unsupported extension or if there was a syntax error in the extension. The caller should cast the return value to the expected type and free the structure when done.

WARNING: Casting the return value to the wrong type is a potentially exploitable memory error, so callers must not use this function before checking ext is of a known type. See the list at the top of this section for the correct types.

X509V3_get_d2i finds and decodes the extension in extensions of type nid. If found, it decodes it and returns a newly-allocated structure, with type dependent on nid. If the extension is not found or on error, it returns NULL. The caller may distinguish these cases using the out_critical value.

If out_critical is not NULL, this function sets *out_critical to one if the extension is found and critical, zero if it is found and not critical, -1 if it is not found, and -2 if there is an invalid duplicate extension. Note this function may set *out_critical to one or zero and still return NULL if the extension is found but has a syntax error.

If out_idx is not NULL, this function looks for the first occurrence of the extension after *out_idx. It then sets *out_idx to the index of the extension, or -1 if not found. If out_idx is non-NULL, duplicate extensions are not treated as an error. Callers, however, should not rely on this behavior as it may be removed in the future. Duplicate extensions are forbidden in RFC 5280.

WARNING: This function is difficult to use correctly. Callers should pass a non-NULL out_critical and check both the return value and *out_critical to handle errors. If the return value is NULL and *out_critical is not -1, there was an error. Otherwise, the function succeeded and but may return NULL for a missing extension. Callers should pass NULL to out_idx so that duplicate extensions are handled correctly.

Additionally, casting the return value to the wrong type is a potentially exploitable memory error, so callers must ensure the cast and nid match. See the list at the top of this section for the correct types.

X509V3_EXT_free casts ext_data into the type that corresponds to nid and releases memory associated with it. It returns one on success and zero if nid is not a known extension.

WARNING: Casting ext_data to the wrong type is a potentially exploitable memory error, so callers must ensure ext_data's type matches nid. See the list at the top of this section for the correct types.

TODO(davidben): OpenSSL upstream no longer exposes this function. Remove it?

X509V3_EXT_i2d casts ext_struc into the type that corresponds to ext_nid, serializes it, and returns a newly-allocated X509_EXTENSION object containing the serialization, or NULL on error. The X509_EXTENSION has OID ext_nid and is critical if crit is one.

WARNING: Casting ext_struc to the wrong type is a potentially exploitable memory error, so callers must ensure ext_struct's type matches ext_nid. See the list at the top of this section for the correct types.

The following constants control the behavior of X509V3_add1_i2d and related functions.

X509V3_ADD_OP_MASK can be ANDed with the flags to determine how duplicate extensions are processed.

X509V3_ADD_DEFAULT causes the function to fail if the extension was already present.

X509V3_ADD_APPEND causes the function to unconditionally appended the new extension to to the extensions list, even if there is a duplicate.

X509V3_ADD_REPLACE causes the function to replace the existing extension, or append if it is not present.

X509V3_ADD_REPLACE_EXISTING causes the function to replace the existing extension and fail if it is not present.

X509V3_ADD_KEEP_EXISTING causes the function to succeed without replacing the extension if already present.

X509V3_ADD_DELETE causes the function to remove the matching extension. No new extension is added. If there is no matching extension, the function fails. The value parameter is ignored in this mode.

X509V3_ADD_SILENT may be ORed into one of the values above to indicate the function should not add to the error queue on duplicate or missing extension. The function will continue to return zero in those cases, and it will continue to return -1 and add to the error queue on other errors.

X509V3_add1_i2d casts value to the type that corresponds to nid, serializes it, and appends it to the extension list in *x. If *x is NULL, it will set *x to a newly-allocated STACK_OF(X509_EXTENSION) as needed. The crit parameter determines whether the new extension is critical. flags may be some combination of the X509V3_ADD_* constants to control the function's behavior on duplicate extension.

This function returns one on success, zero if the operation failed due to a missing or duplicate extension, and -1 on other errors.

WARNING: Casting value to the wrong type is a potentially exploitable memory error, so callers must ensure value's type matches nid. See the list at the top of this section for the correct types.

A BASIC_CONSTRAINTS_st, aka BASIC_CONSTRAINTS represents an BasicConstraints structure (RFC 5280).

BASIC_CONSTRAINTS is an ASN1_ITEM whose ASN.1 type is BasicConstraints (RFC 5280) and C type is BASIC_CONSTRAINTS*.

BASIC_CONSTRAINTS_new returns a newly-allocated, empty BASIC_CONSTRAINTS object, or NULL on error.

BASIC_CONSTRAINTS_free releases memory associated with bcons.

d2i_BASIC_CONSTRAINTS parses up to len bytes from *inp as a DER-encoded BasicConstraints (RFC 5280), as described in d2i_SAMPLE.

i2d_BASIC_CONSTRAINTS marshals bcons as a DER-encoded BasicConstraints (RFC 5280), as described in i2d_SAMPLE.

EXTENDED_KEY_USAGE is an ASN1_ITEM whose ASN.1 type is ExtKeyUsageSyntax (RFC 5280) and C type is STACK_OF(ASN1_OBJECT)*, or EXTENDED_KEY_USAGE*.

EXTENDED_KEY_USAGE_new returns a newly-allocated, empty EXTENDED_KEY_USAGE object, or NULL on error.

EXTENDED_KEY_USAGE_free releases memory associated with eku.

d2i_EXTENDED_KEY_USAGE parses up to len bytes from *inp as a DER-encoded ExtKeyUsageSyntax (RFC 5280), as described in d2i_SAMPLE.

i2d_EXTENDED_KEY_USAGE marshals eku as a DER-encoded ExtKeyUsageSyntax (RFC 5280), as described in i2d_SAMPLE.

GEN_* are constants for the type field of GENERAL_NAME, defined below.

A GENERAL_NAME_st, aka GENERAL_NAME, represents an X.509 GeneralName. The type field determines which member of d is active. A GENERAL_NAME may also be empty, in which case type is -1 and d is NULL. Empty GENERAL_NAMEs are invalid and will never be returned from the parser, but may be created temporarily, e.g. by GENERAL_NAME_new.

WARNING: type and d must be kept consistent. An inconsistency will result in a potentially exploitable memory error.

GENERAL_NAME_new returns a new, empty GENERAL_NAME, or NULL on error.

GENERAL_NAME_free releases memory associated with gen.

d2i_GENERAL_NAME parses up to len bytes from *inp as a DER-encoded X.509 GeneralName (RFC 5280), as described in d2i_SAMPLE.

i2d_GENERAL_NAME marshals in as a DER-encoded X.509 GeneralName (RFC 5280), as described in i2d_SAMPLE.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if in is an directoryName and the X509_NAME has been modified.

GENERAL_NAME_dup returns a newly-allocated copy of gen, or NULL on error. This function works by serializing the structure, so it will fail if gen is empty.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if gen is an directoryName and the X509_NAME has been modified.

GENERAL_NAMES_new returns a new, empty GENERAL_NAMES, or NULL on error.

GENERAL_NAMES_free releases memory associated with gens.

d2i_GENERAL_NAMES parses up to len bytes from *inp as a DER-encoded SEQUENCE OF GeneralName, as described in d2i_SAMPLE.

i2d_GENERAL_NAMES marshals in as a DER-encoded SEQUENCE OF GeneralName, as described in i2d_SAMPLE.

TODO(https://crbug.com/boringssl/407): This function should be const and thread-safe but is currently neither in some cases, notably if some element of in is an directoryName and the X509_NAME has been modified.

OTHERNAME_new returns a new, empty OTHERNAME, or NULL on error.

OTHERNAME_free releases memory associated with name.

EDIPARTYNAME_new returns a new, empty EDIPARTYNAME, or NULL on error. EDIPartyName is rarely used in practice, so callers are unlikely to need this function.

EDIPARTYNAME_free releases memory associated with name. EDIPartyName is rarely used in practice, so callers are unlikely to need this function.

GENERAL_NAME_set0_value set gen's type and value to type and value. type must be a GEN_* constant and value must be an object of the corresponding type. gen takes ownership of value, so value must have been an allocated object.

WARNING: gen must be empty (typically as returned from GENERAL_NAME_new) before calling this function. If gen already contained a value, the previous contents will be leaked.

GENERAL_NAME_get0_value returns the in-memory representation of gen's contents and, out_type is not NULL, sets *out_type to the type of gen, which will be a GEN_* constant. If gen is incomplete, the return value will be NULL and the type will be -1.

WARNING: Casting the result of this function to the wrong type is a potentially exploitable memory error. Callers must check gen's type, either via *out_type or checking gen->type directly, before inspecting the result.

WARNING: This function is not const-correct. The return value should be const. Callers shoudl not mutate the returned object.

GENERAL_NAME_set0_othername sets gen to be an OtherName with type oid and value value. On success, it returns one and takes ownership of oid and value, which must be created in a way compatible with ASN1_OBJECT_free and ASN1_TYPE_free, respectively. On allocation failure, it returns zero. In the failure case, the caller retains ownership of oid and value and must release them when done.

WARNING: gen must be empty (typically as returned from GENERAL_NAME_new) before calling this function. If gen already contained a value, the previously contents will be leaked.

GENERAL_NAME_get0_otherName, if gen is an OtherName, sets *out_oid and *out_value to the OtherName's type-id and value, respectively, and returns one. If gen is not an OtherName, it returns zero and leaves *out_oid and *out_value unmodified. Either of out_oid or out_value may be NULL to ignore the value.

WARNING: This function is not const-correct. out_oid and out_value are not const, but callers should not mutate the resulting objects.

A AUTHORITY_KEYID_st, aka AUTHORITY_KEYID, represents an AuthorityKeyIdentifier structure (RFC 5280).

AUTHORITY_KEYID is an ASN1_ITEM whose ASN.1 type is AuthorityKeyIdentifier (RFC 5280) and C type is AUTHORITY_KEYID*.

AUTHORITY_KEYID_new returns a newly-allocated, empty AUTHORITY_KEYID object, or NULL on error.

AUTHORITY_KEYID_free releases memory associated with akid.

d2i_AUTHORITY_KEYID parses up to len bytes from *inp as a DER-encoded AuthorityKeyIdentifier (RFC 5280), as described in d2i_SAMPLE.

i2d_AUTHORITY_KEYID marshals akid as a DER-encoded AuthorityKeyIdentifier (RFC 5280), as described in i2d_SAMPLE.

TODO(https://crbug.com/boringssl/407): akid is not const because it contains an X509_NAME.

A GENERAL_SUBTREE represents a GeneralSubtree structure (RFC 5280).

GENERAL_SUBTREE_new returns a newly-allocated, empty GENERAL_SUBTREE object, or NULL on error.

GENERAL_SUBTREE_free releases memory associated with subtree.

A NAME_CONSTRAINTS_st, aka NAME_CONSTRAINTS, represents a NameConstraints structure (RFC 5280).

NAME_CONSTRAINTS is an ASN1_ITEM whose ASN.1 type is NameConstraints (RFC 5280) and C type is NAME_CONSTRAINTS*.

NAME_CONSTRAINTS_new returns a newly-allocated, empty NAME_CONSTRAINTS object, or NULL on error.

NAME_CONSTRAINTS_free releases memory associated with ncons.

An ACCESS_DESCRIPTION represents an AccessDescription structure (RFC 5280).

ACCESS_DESCRIPTION_new returns a newly-allocated, empty ACCESS_DESCRIPTION object, or NULL on error.

ACCESS_DESCRIPTION_free releases memory associated with desc.

AUTHORITY_INFO_ACCESS is an ASN1_ITEM whose ASN.1 type is AuthorityInfoAccessSyntax (RFC 5280) and C type is STACK_OF(ACCESS_DESCRIPTION)*, or AUTHORITY_INFO_ACCESS*.

AUTHORITY_INFO_ACCESS_new returns a newly-allocated, empty AUTHORITY_INFO_ACCESS object, or NULL on error.

AUTHORITY_INFO_ACCESS_free releases memory associated with aia.

d2i_AUTHORITY_INFO_ACCESS parses up to len bytes from *inp as a DER-encoded AuthorityInfoAccessSyntax (RFC 5280), as described in d2i_SAMPLE.

i2d_AUTHORITY_INFO_ACCESS marshals aia as a DER-encoded AuthorityInfoAccessSyntax (RFC 5280), as described in i2d_SAMPLE.

TODO(https://crbug.com/boringssl/407): aia is not const because it contains an X509_NAME.

A DIST_POINT_NAME represents a DistributionPointName structure (RFC 5280). The name field contains the CHOICE value and is determined by type. If type is zero, name must be a fullname. If type is one, name must be a relativename.

WARNING: type and name must be kept consistent. An inconsistency will result in a potentially exploitable memory error.

DIST_POINT_NAME_new returns a newly-allocated, empty DIST_POINT_NAME object, or NULL on error.

DIST_POINT_NAME_free releases memory associated with name.

A DIST_POINT_st, aka DIST_POINT, represents a DistributionPoint structure (RFC 5280).

DIST_POINT_new returns a newly-allocated, empty DIST_POINT object, or NULL on error.

DIST_POINT_free releases memory associated with dp.

CRL_DIST_POINTS is an ASN1_ITEM whose ASN.1 type is CRLDistributionPoints (RFC 5280) and C type is CRL_DIST_POINTS*.

CRL_DIST_POINTS_new returns a newly-allocated, empty CRL_DIST_POINTS object, or NULL on error.

CRL_DIST_POINTS_free releases memory associated with crldp.

d2i_CRL_DIST_POINTS parses up to len bytes from *inp as a DER-encoded CRLDistributionPoints (RFC 5280), as described in d2i_SAMPLE.

i2d_CRL_DIST_POINTS marshals crldp as a DER-encoded CRLDistributionPoints (RFC 5280), as described in i2d_SAMPLE.

TODO(https://crbug.com/boringssl/407): crldp is not const because it contains an X509_NAME.

A ISSUING_DIST_POINT_st, aka ISSUING_DIST_POINT, represents a IssuingDistributionPoint structure (RFC 5280).

ISSUING_DIST_POINT is an ASN1_ITEM whose ASN.1 type is IssuingDistributionPoint (RFC 5280) and C type is ISSUING_DIST_POINT*.

ISSUING_DIST_POINT_new returns a newly-allocated, empty ISSUING_DIST_POINT object, or NULL on error.

ISSUING_DIST_POINT_free releases memory associated with idp.

d2i_ISSUING_DIST_POINT parses up to len bytes from *inp as a DER-encoded IssuingDistributionPoint (RFC 5280), as described in d2i_SAMPLE.

i2d_ISSUING_DIST_POINT marshals idp as a DER-encoded IssuingDistributionPoint (RFC 5280), as described in i2d_SAMPLE.

TODO(https://crbug.com/boringssl/407): idp is not const because it contains an X509_NAME.

A NOTICEREF represents a NoticeReference structure (RFC 5280).

NOTICEREF_new returns a newly-allocated, empty NOTICEREF object, or NULL on error.

NOTICEREF_free releases memory associated with ref.

A USERNOTICE represents a UserNotice structure (RFC 5280).

USERNOTICE_new returns a newly-allocated, empty USERNOTICE object, or NULL on error.

USERNOTICE_free releases memory associated with notice.

A POLICYQUALINFO represents a PolicyQualifierInfo structure (RFC 5280). d contains the qualifier field of the PolicyQualifierInfo. Its type is determined by pqualid. If pqualid is NID_id_qt_cps, d must be cpsuri. If pqualid is NID_id_qt_unotice, d must be usernotice. Otherwise, d must be other.

WARNING: pqualid and d must be kept consistent. An inconsistency will result in a potentially exploitable memory error.

POLICYQUALINFO_new returns a newly-allocated, empty POLICYQUALINFO object, or NULL on error.

POLICYQUALINFO_free releases memory associated with info.

A POLICYINFO represents a PolicyInformation structure (RFC 5280).

POLICYINFO_new returns a newly-allocated, empty POLICYINFO object, or NULL on error.

POLICYINFO_free releases memory associated with info.

CERTIFICATEPOLICIES is an ASN1_ITEM whose ASN.1 type is CertificatePolicies (RFC 5280) and C type is STACK_OF(POLICYINFO)*, or CERTIFICATEPOLICIES*.

CERTIFICATEPOLICIES_new returns a newly-allocated, empty CERTIFICATEPOLICIES object, or NULL on error.

CERTIFICATEPOLICIES_free releases memory associated with policies.

d2i_CERTIFICATEPOLICIES parses up to len bytes from *inp as a DER-encoded CertificatePolicies (RFC 5280), as described in d2i_SAMPLE.

i2d_CERTIFICATEPOLICIES marshals policies as a DER-encoded CertificatePolicies (RFC 5280), as described in i2d_SAMPLE.

A POLICY_MAPPING represents an individual element of a PolicyMappings structure (RFC 5280).

POLICY_MAPPING_new returns a newly-allocated, empty POLICY_MAPPING object, or NULL on error.

POLICY_MAPPING_free releases memory associated with mapping.

POLICY_MAPPINGS is an ASN1_ITEM whose ASN.1 type is PolicyMappings (RFC 5280) and C type is STACK_OF(POLICY_MAPPING)*, or POLICY_MAPPINGS*.

A POLICY_CONSTRAINTS represents a PolicyConstraints structure (RFC 5280).

POLICY_CONSTRAINTS is an ASN1_ITEM whose ASN.1 type is PolicyConstraints (RFC 5280) and C type is POLICY_CONSTRAINTS*.

POLICY_CONSTRAINTS_new returns a newly-allocated, empty POLICY_CONSTRAINTS object, or NULL on error.

POLICY_CONSTRAINTS_free releases memory associated with pcons.

X509_ALGOR is an ASN1_ITEM whose ASN.1 type is AlgorithmIdentifier and C type is X509_ALGOR*.

X509_ALGOR_new returns a newly-allocated, empty X509_ALGOR object, or NULL on error.

X509_ALGOR_dup returns a newly-allocated copy of alg, or NULL on error. This function works by serializing the structure, so if alg is incomplete, it may fail.

X509_ALGOR_free releases memory associated with alg.

d2i_X509_ALGOR parses up to len bytes from *inp as a DER-encoded AlgorithmIdentifier, as described in d2i_SAMPLE.

i2d_X509_ALGOR marshals alg as a DER-encoded AlgorithmIdentifier, as described in i2d_SAMPLE.

X509_ALGOR_set0 sets alg to an AlgorithmIdentifier with algorithm obj and parameter determined by param_type and param_value. It returns one on success and zero on error. This function takes ownership of obj and param_value on success.

If param_type is V_ASN1_UNDEF, the parameter is omitted. If param_type is zero, the parameter is left unchanged. Otherwise, param_type and param_value are interpreted as in ASN1_TYPE_set.

Note omitting the parameter (V_ASN1_UNDEF) and encoding an explicit NULL value (V_ASN1_NULL) are different. Some algorithms require one and some the other. Consult the relevant specification before calling this function. The correct parameter for an RSASSA-PKCS1-v1_5 signature is V_ASN1_NULL. The correct one for an ECDSA or Ed25519 signature is V_ASN1_UNDEF.

X509_ALGOR_get0 sets *out_obj to the alg's algorithm. If alg's parameter is omitted, it sets *out_param_type and *out_param_value to V_ASN1_UNDEF and NULL. Otherwise, it sets *out_param_type and *out_param_value to the parameter, using the same representation as ASN1_TYPE_set0. See ASN1_TYPE_set0 and ASN1_TYPE for details.

Callers that require the parameter in serialized form should, after checking for V_ASN1_UNDEF, use ASN1_TYPE_set1 and d2i_ASN1_TYPE, rather than inspecting *out_param_value.

Each of out_obj, out_param_type, and out_param_value may be NULL to ignore the output. If out_param_type is NULL, out_param_value is ignored.

WARNING: If *out_param_type is set to V_ASN1_UNDEF, OpenSSL and older revisions of BoringSSL leave *out_param_value unset rather than setting it to NULL. Callers that support both OpenSSL and BoringSSL should not assume *out_param_value is uniformly initialized.

X509_ALGOR_set_md sets alg to the hash function md. Note this AlgorithmIdentifier represents the hash function itself, not a signature algorithm that uses md. It returns one on success and zero on error.

Due to historical specification mistakes (see Section 2.1 of RFC 4055), the parameters field is sometimes omitted and sometimes a NULL value. When used in RSASSA-PSS and RSAES-OAEP, it should be a NULL value. In other contexts, the parameters should be omitted. This function assumes the caller is constructing a RSASSA-PSS or RSAES-OAEP AlgorithmIdentifier and includes a NULL parameter. This differs from OpenSSL's behavior.

TODO(davidben): Rename this function, or perhaps just add a bespoke API for constructing PSS and move on.

X509_ALGOR_cmp returns zero if a and b are equal, and some non-zero value otherwise. Note this function can only be used for equality checks, not an ordering.

X509_ATTRIBUTE_new returns a newly-allocated, empty X509_ATTRIBUTE object, or NULL on error. X509_ATTRIBUTE_set1_* may be used to finish initializing it.

X509_ATTRIBUTE_dup returns a newly-allocated copy of attr, or NULL on error. This function works by serializing the structure, so if attr is incomplete, it may fail.

X509_ATTRIBUTE_free releases memory associated with attr.

d2i_X509_ATTRIBUTE parses up to len bytes from *inp as a DER-encoded Attribute (RFC 2986), as described in d2i_SAMPLE.

i2d_X509_ATTRIBUTE marshals alg as a DER-encoded Attribute (RFC 2986), as described in i2d_SAMPLE.

X509_ATTRIBUTE_create returns a newly-allocated X509_ATTRIBUTE, or NULL on error. The attribute has type nid and contains a single value determined by attrtype and value, which are interpreted as in ASN1_TYPE_set. Note this function takes ownership of value.

X509_ATTRIBUTE_create_by_NID returns a newly-allocated X509_ATTRIBUTE of type nid, or NULL on error. The value is determined as in X509_ATTRIBUTE_set1_data.

If attr is non-NULL, the resulting X509_ATTRIBUTE is also written to *attr. If *attr was non-NULL when the function was called, *attr is reused instead of creating a new object.

WARNING: The interpretation of attrtype, data, and len is complex and error-prone. See X509_ATTRIBUTE_set1_data for details.

WARNING: The object reuse form is deprecated and may be removed in the future. It also currently incorrectly appends to the reused object's value set rather than overwriting it.

X509_ATTRIBUTE_create_by_OBJ behaves like X509_ATTRIBUTE_create_by_NID except the attribute's type is determined by obj.

X509_ATTRIBUTE_create_by_txt behaves like X509_ATTRIBUTE_create_by_NID except the attribute's type is determined by calling OBJ_txt2obj with attrname.

X509_ATTRIBUTE_set1_object sets attr's type to obj. It returns one on success and zero on error.

X509_ATTRIBUTE_set1_data appends a value to attr's value set and returns one on success or zero on error. The value is determined as follows:

If attrtype is zero, this function returns one and does nothing. This form may be used when calling X509_ATTRIBUTE_create_by_* to create an attribute with an empty value set. Such attributes are invalid, but OpenSSL supports creating them.

Otherwise, if attrtype is a MBSTRING_* constant, the value is an ASN.1 string. The string is determined by decoding len bytes from data in the encoding specified by attrtype, and then re-encoding it in a form appropriate for attr's type. If len is -1, strlen(data) is used instead. See ASN1_STRING_set_by_NID for details.

Otherwise, if len is not -1, the value is an ASN.1 string. attrtype is an ASN1_STRING type value and the len bytes from data are copied as the type-specific representation of ASN1_STRING. See ASN1_STRING for details.

Otherwise, if len is -1, the value is constructed by passing attrtype and data to ASN1_TYPE_set1. That is, attrtype is an ASN1_TYPE type value, and data is cast to the corresponding pointer type.

WARNING: Despite the name, this function appends to attr's value set, rather than overwriting it. To overwrite the value set, create a new X509_ATTRIBUTE with X509_ATTRIBUTE_new.

WARNING: If using the MBSTRING_* form, pass a length rather than relying on strlen. In particular, strlen will not behave correctly if the input is MBSTRING_BMP or MBSTRING_UNIV.

WARNING: This function currently misinterprets V_ASN1_OTHER as an MBSTRING_* constant. This matches OpenSSL but means it is impossible to construct a value with a non-universal tag.

X509_ATTRIBUTE_get0_data returns the idxth value of attr in a type-specific representation to attrtype, or NULL if out of bounds or the type does not match. attrtype is one of the type values in ASN1_TYPE. On match, the return value uses the same representation as ASN1_TYPE_set0. See ASN1_TYPE for details.

X509_ATTRIBUTE_count returns the number of values in attr.

X509_ATTRIBUTE_get0_object returns the type of attr.

X509_ATTRIBUTE_get0_type returns the idxth value in attr, or NULL if out of bounds. Note this function returns one of attr's values, not the type.

X509_STORE_new returns a newly-allocated X509_STORE, or NULL on error.

X509_STORE_up_ref adds one to the reference count of store and returns one. Although store is not const, this function's use of store is thread-safe.

X509_STORE_free releases memory associated with store.

X509_STORE_add_cert adds x509 to store as a trusted certificate. It returns one on success and zero on error. This function internally increments x509's reference count, so the caller retains ownership of x509.

Certificates configured by this function are still subject to the checks described in X509_VERIFY_PARAM_set_trust.

Although store is not const, this function's use of store is thread-safe. However, if this function is called concurrently with X509_verify_cert, it is a race condition whether x509 is available for issuer lookups. Moreover, the result may differ for each issuer lookup performed by a single X509_verify_cert call.

X509_STORE_add_crl adds crl to store. It returns one on success and zero on error. This function internally increments crl's reference count, so the caller retains ownership of crl. CRLs added in this way are candidates for CRL lookup when X509_V_FLAG_CRL_CHECK is set.

Although store is not const, this function's use of store is thread-safe. However, if this function is called concurrently with X509_verify_cert, it is a race condition whether crl is available for CRL checks. Moreover, the result may differ for each CRL check performed by a single X509_verify_cert call.

Note there are no supported APIs to remove CRLs from store once inserted. To vary the set of CRLs over time, callers should either create a new X509_STORE or configure CRLs on a per-verification basis with X509_STORE_CTX_set0_crls.

X509_STORE_get0_param returns store's verification parameters. This object is mutable and may be modified by the caller. For an individual certificate verification operation, X509_STORE_CTX_init initializes the X509_STORE_CTX's parameters with these parameters.

WARNING: X509_STORE_CTX_init applies some default parameters (as in X509_VERIFY_PARAM_inherit) after copying store's parameters. This means it is impossible to leave some parameters unset at store. They must be explicitly unset after creating the X509_STORE_CTX.

As of writing these late defaults are a depth limit (see X509_VERIFY_PARAM_set_depth) and the X509_V_FLAG_TRUSTED_FIRST flag. This warning does not apply if the parameters were set in store.

TODO(crbug.com/boringssl/441): This behavior is very surprising. Can we remove this notion of late defaults? The unsettable value at X509_STORE is -1, which rejects everything but explicitly-trusted self-signed certificates. X509_V_FLAG_TRUSTED_FIRST is mostly a workaround for poor path-building.

X509_STORE_set1_param copies verification parameters from param as in X509_VERIFY_PARAM_set1. It returns one on success and zero on error.

X509_STORE_set_flags enables all values in flags in store's verification flags. flags should be a combination of X509_V_FLAG_* constants.

WARNING: These flags will be combined with default flags when copied to an X509_STORE_CTX. This means it is impossible to unset those defaults from the X509_STORE. See discussion in X509_STORE_get0_param.

X509_STORE_set_depth configures store to, by default, limit certificate chains to depth intermediate certificates. This count excludes both the target certificate and the trust anchor (root certificate).

X509_STORE_set_purpose configures the purpose check for store. See X509_VERIFY_PARAM_set_purpose for details.

X509_STORE_set_trust configures the trust check for store. See X509_VERIFY_PARAM_set_trust for details.

The following constants indicate the type of an X509_OBJECT.

X509_OBJECT_new returns a newly-allocated, empty X509_OBJECT or NULL on error.

X509_OBJECT_free releases memory associated with obj.

X509_OBJECT_get_type returns the type of obj, which will be one of the X509_LU_* constants.

X509_OBJECT_get0_X509 returns obj as a certificate, or NULL if obj is not a certificate.

X509_STORE_get1_objects returns a newly-allocated stack containing the contents of store, or NULL on error. The caller must release the result with sk_X509_OBJECT_pop_free and X509_OBJECT_free when done.

The result will include all certificates and CRLs added via X509_STORE_add_cert and X509_STORE_add_crl, as well as any cached objects added by X509_LOOKUP_add_dir. The last of these may change over time, as different objects are loaded from the filesystem. Callers should not depend on this caching behavior. The objects are returned in no particular order.

X509_STORE_CTX_new returns a newly-allocated, empty X509_STORE_CTX, or NULL on error.

X509_STORE_CTX_free releases memory associated with ctx.

X509_STORE_CTX_init initializes ctx to verify x509, using trusted certificates and parameters in store. It returns one on success and zero on error. chain is a list of untrusted intermediate certificates to use in verification.

ctx stores pointers to store, x509, and chain. Each of these objects must outlive ctx and may not be mutated for the duration of the certificate verification.

X509_verify_cert performs certifice verification with ctx, which must have been initialized with X509_STORE_CTX_init. It returns one on success and zero on error. On success, X509_STORE_CTX_get0_chain or X509_STORE_CTX_get1_chain may be used to return the verified certificate chain. On error, X509_STORE_CTX_get_error may be used to return additional error information.

WARNING: Most failure conditions from this function do not use the error queue. Use X509_STORE_CTX_get_error to determine the cause of the error.

X509_STORE_CTX_get0_chain, after a successful X509_verify_cert call, returns the verified certificate chain. The chain begins with the leaf and ends with trust anchor.

At other points, such as after a failed verification or during the deprecated verification callback, it returns the partial chain built so far. Callers should avoid relying on this as this exposes unstable library implementation details.

X509_STORE_CTX_get1_chain behaves like X509_STORE_CTX_get0_chain but returns a newly-allocated STACK_OF(X509) containing the completed chain, with each certificate's reference count incremented. Callers must free the result with sk_X509_pop_free and X509_free when done.

The following values are possible outputs of X509_STORE_CTX_get_error.

X509_STORE_CTX_get_error, after X509_verify_cert returns, returns X509_V_OK if verification succeeded or an X509_V_ERR_* describing why verification failed. This will be consistent with X509_verify_cert's return value, unless the caller used the deprecated verification callback (see X509_STORE_CTX_set_verify_cb) in a way that breaks ctx's invariants.

If called during the deprecated verification callback when ok is zero, it returns the current error under consideration.

X509_STORE_CTX_set_error sets ctx's error to err, which should be X509_V_OK or an X509_V_ERR_* constant. It is not expected to be called in typical X509_STORE_CTX usage, but may be used in callback APIs where applications synthesize X509_STORE_CTX error conditions. See also X509_STORE_CTX_set_verify_cb and SSL_CTX_set_cert_verify_callback.

X509_verify_cert_error_string returns err as a human-readable string, where err should be one of the X509_V_* values. If err is unknown, it returns a default description.

X509_STORE_CTX_get_error_depth returns the depth at which the error returned by X509_STORE_CTX_get_error occured. This is zero-indexed integer into the certificate chain. Zero indicates the target certificate, one its issuer, and so on.

X509_STORE_CTX_get_current_cert returns the certificate which caused the error returned by X509_STORE_CTX_get_error.

X509_STORE_CTX_get0_current_crl returns the CRL which caused the error returned by X509_STORE_CTX_get_error.

X509_STORE_CTX_get0_store returns the X509_STORE that ctx uses.

X509_STORE_CTX_get0_cert returns the leaf certificate that ctx is verifying.

X509_STORE_CTX_get0_untrusted returns the stack of untrusted intermediates used by ctx for certificate verification.

X509_STORE_CTX_set0_trusted_stack configures ctx to trust the certificates in sk. sk must remain valid for the duration of ctx. Calling this function causes ctx to ignore any certificates configured in the X509_STORE. Certificates in sk are still subject to the check described in X509_VERIFY_PARAM_set_trust.

WARNING: This function differs from most set0 functions in that it does not take ownership of its input. The caller is required to ensure the lifetimes are consistent.

X509_STORE_CTX_set0_crls configures ctx to consider the CRLs in sk as candidates for CRL lookup. sk must remain valid for the duration of ctx. These CRLs are considered in addition to CRLs found in X509_STORE.

WARNING: This function differs from most set0 functions in that it does not take ownership of its input. The caller is required to ensure the lifetimes are consistent.

X509_STORE_CTX_set_default looks up the set of parameters named name and applies those default verification parameters for ctx. As in X509_VERIFY_PARAM_inherit, only unset parameters are changed. This function returns one on success and zero on error.

The supported values of name are:

• "default" is an internal value which configures some late defaults. See the discussion in X509_STORE_get0_param.
• "pkcs7" configures default trust and purpose checks for PKCS#7 signatures.
• "smime_sign" configures trust and purpose checks for S/MIME signatures.
• "ssl_client" configures trust and purpose checks for TLS clients.
• "ssl_server" configures trust and purpose checks for TLS servers.

TODO(crbug.com/boringssl/441): Make "default" a no-op.

X509_STORE_CTX_get0_param returns ctx's verification parameters. This object is mutable and may be modified by the caller.

X509_STORE_CTX_set0_param returns ctx's verification parameters to param and takes ownership of param. After this function returns, the caller should not free param.

WARNING: This function discards any values which were previously applied in ctx, including the "default" parameters applied late in X509_STORE_CTX_init. These late defaults are not applied to parameters created standalone by X509_VERIFY_PARAM_new.

TODO(crbug.com/boringssl/441): This behavior is very surprising. Should we re-apply the late defaults in param, or somehow avoid this notion of late defaults altogether?

X509_STORE_CTX_set_flags enables all values in flags in ctx's verification flags. flags should be a combination of X509_V_FLAG_* constants.

X509_STORE_CTX_set_time configures certificate verification to use t instead of the current time. flags is ignored and should be zero.

X509_STORE_CTX_set_time_posix configures certificate verification to use t instead of the current time. t is interpreted as a POSIX timestamp in seconds. flags is ignored and should be zero.

X509_STORE_CTX_set_depth configures ctx to, by default, limit certificate chains to depth intermediate certificates. This count excludes both the target certificate and the trust anchor (root certificate).

X509_STORE_CTX_set_purpose simultaneously configures ctx's purpose and trust checks, if unset. It returns one on success and zero if purpose is not a valid purpose value. purpose should be an X509_PURPOSE_* constant. If so, it configures ctx with a purpose check of purpose and a trust check of purpose's corresponding trust value. If either the purpose or trust check had already been specified for ctx, that corresponding modification is silently dropped.

See X509_VERIFY_PARAM_set_purpose and X509_VERIFY_PARAM_set_trust for details on the purpose and trust checks, respectively.

If purpose is X509_PURPOSE_ANY, this function returns an error because it has no corresponding X509_TRUST_* value. It is not possible to set X509_PURPOSE_ANY with this function, only X509_VERIFY_PARAM_set_purpose.

WARNING: Unlike similarly named functions in this header, this function silently does not behave the same as X509_VERIFY_PARAM_set_purpose. Callers may use X509_VERIFY_PARAM_set_purpose with X509_STORE_CTX_get0_param to avoid this difference.

X509_STORE_CTX_set_trust configures ctx's trust check, if unset. It returns one on success and zero if trust is not a valid trust value. trust should be an X509_TRUST_* constant. If so, it configures ctx with a trust check of trust. If the trust check had already been specified for ctx, it silently does nothing.

See X509_VERIFY_PARAM_set_trust for details on the purpose and trust check.

WARNING: Unlike similarly named functions in this header, this function does not behave the same as X509_VERIFY_PARAM_set_trust. Callers may use X509_VERIFY_PARAM_set_trust with X509_STORE_CTX_get0_param to avoid this difference.

X509_VERIFY_PARAM_new returns a newly-allocated X509_VERIFY_PARAM, or NULL on error.

X509_VERIFY_PARAM_free releases memory associated with param.

X509_VERIFY_PARAM_inherit applies from as the default values for to. That is, for each parameter that is unset in to, it copies the value in from. This function returns one on success and zero on error.

X509_VERIFY_PARAM_set1 copies parameters from from to to. If a parameter is unset in from, the existing value in to is preserved. This function returns one on success and zero on error.

X509_V_FLAG_* are flags for X509_VERIFY_PARAM_set_flags and X509_VERIFY_PARAM_clear_flags.

X509_V_FLAG_CB_ISSUER_CHECK causes the deprecated verify callback (see X509_STORE_CTX_set_verify_cb) to be called for errors while matching subject and issuer certificates.

X509_V_FLAG_USE_CHECK_TIME is an internal flag used to track whether X509_STORE_CTX_set_time has been used. If cleared, the system time is restored.

X509_V_FLAG_CRL_CHECK enables CRL lookup and checking for the leaf.

X509_V_FLAG_CRL_CHECK_ALL enables CRL lookup and checking for the entire certificate chain. X509_V_FLAG_CRL_CHECK must be set for this flag to take effect.

X509_V_FLAG_IGNORE_CRITICAL ignores unhandled critical extensions. Do not use this option. Critical extensions ensure the verifier does not bypass unrecognized security restrictions in certificates.

X509_V_FLAG_X509_STRICT does nothing. Its functionality has been enabled by default.

X509_V_FLAG_ALLOW_PROXY_CERTS does nothing. Proxy certificate support has been removed.

X509_V_FLAG_POLICY_CHECK does nothing. Policy checking is always enabled.

X509_V_FLAG_EXPLICIT_POLICY requires some policy OID to be asserted by the final certificate chain. See initial-explicit-policy from RFC 5280, section 6.1.1.

X509_V_FLAG_INHIBIT_ANY inhibits the anyPolicy OID. See initial-any-policy-inhibit from RFC 5280, section 6.1.1.

X509_V_FLAG_INHIBIT_MAP inhibits policy mapping. See initial-policy-mapping-inhibit from RFC 5280, section 6.1.1.

X509_V_FLAG_NOTIFY_POLICY does nothing. Its functionality has been removed.

X509_V_FLAG_EXTENDED_CRL_SUPPORT causes all verifications to fail. Extended CRL features have been removed.

X509_V_FLAG_USE_DELTAS causes all verifications to fail. Delta CRL support has been removed.

X509_V_FLAG_CHECK_SS_SIGNATURE checks the redundant signature on self-signed trust anchors. This check provides no security benefit and only wastes CPU.

X509_V_FLAG_TRUSTED_FIRST, during path-building, checks for a match in the trust store before considering an untrusted intermediate. This flag is enabled by default.

X509_V_FLAG_PARTIAL_CHAIN treats all trusted certificates as trust anchors, independent of the X509_VERIFY_PARAM_set_trust setting.

X509_V_FLAG_NO_ALT_CHAINS disables building alternative chains if the initial one was rejected.

X509_V_FLAG_NO_CHECK_TIME disables all time checks in certificate verification.

X509_VERIFY_PARAM_set_flags enables all values in flags in param's verification flags and returns one. flags should be a combination of X509_V_FLAG_* constants.

X509_VERIFY_PARAM_clear_flags disables all values in flags in param's verification flags and returns one. flags should be a combination of X509_V_FLAG_* constants.

X509_VERIFY_PARAM_get_flags returns param's verification flags.

X509_VERIFY_PARAM_set_depth configures param to limit certificate chains to depth intermediate certificates. This count excludes both the target certificate and the trust anchor (root certificate).

X509_VERIFY_PARAM_get_depth returns the maximum depth configured in param. See X509_VERIFY_PARAM_set_depth.

X509_VERIFY_PARAM_set_time configures certificate verification to use t instead of the current time.

X509_VERIFY_PARAM_set_time_posix configures certificate verification to use t instead of the current time. t is interpreted as a POSIX timestamp in seconds.

X509_VERIFY_PARAM_add0_policy adds policy to the user-initial-policy-set (see Section 6.1.1 of RFC 5280). On success, it takes ownership of policy and returns one. Otherwise, it returns zero and the caller retains owneship of policy.

X509_VERIFY_PARAM_set1_policies sets the user-initial-policy-set (see Section 6.1.1 of RFC 5280) to a copy of policies. It returns one on success and zero on error.

X509_VERIFY_PARAM_set1_host configures param to check for the DNS name specified by name. It returns one on success and zero on error.

By default, both subject alternative names and the subject's common name attribute are checked. The latter has long been deprecated, so callers should call X509_VERIFY_PARAM_set_hostflags with X509_CHECK_FLAG_NEVER_CHECK_SUBJECT to use the standard behavior. https://crbug.com/boringssl/464 tracks fixing the default.

X509_VERIFY_PARAM_add1_host adds name to the list of names checked by param. If any configured DNS name matches the certificate, verification succeeds. It returns one on success and zero on error.

By default, both subject alternative names and the subject's common name attribute are checked. The latter has long been deprecated, so callers should call X509_VERIFY_PARAM_set_hostflags with X509_CHECK_FLAG_NEVER_CHECK_SUBJECT to use the standard behavior. https://crbug.com/boringssl/464 tracks fixing the default.

X509_CHECK_FLAG_NO_WILDCARDS disables wildcard matching for DNS names.

X509_CHECK_FLAG_NEVER_CHECK_SUBJECT disables the subject fallback, normally enabled when subjectAltNames is missing.

X509_VERIFY_PARAM_set_hostflags sets the name-checking flags on param to flags. flags should be a combination of X509_CHECK_FLAG_* constants.

X509_VERIFY_PARAM_set1_email configures param to check for the email address specified by email. It returns one on success and zero on error.

By default, both subject alternative names and the subject's email address attribute are checked. The X509_CHECK_FLAG_NEVER_CHECK_SUBJECT flag may be used to change this behavior.

X509_VERIFY_PARAM_set1_ip configures param to check for the IP address specified by ip. It returns one on success and zero on error. The IP address is specified in its binary representation. ip_len must be 4 for an IPv4 address and 16 for an IPv6 address.

X509_VERIFY_PARAM_set1_ip_asc decodes ipasc as the ASCII representation of an IPv4 or IPv6 address, and configures param to check for it. It returns one on success and zero on error.

X509_PURPOSE_SSL_CLIENT validates TLS client certificates. It checks for the id-kp-clientAuth EKU and one of digitalSignature or keyAgreement key usages. The TLS library is expected to check for the key usage specific to the negotiated TLS parameters.

X509_PURPOSE_SSL_SERVER validates TLS server certificates. It checks for the id-kp-clientAuth EKU and one of digitalSignature, keyAgreement, or keyEncipherment key usages. The TLS library is expected to check for the key usage specific to the negotiated TLS parameters.

X509_PURPOSE_NS_SSL_SERVER is a legacy mode. It behaves like X509_PURPOSE_SSL_SERVER, but only accepts the keyEncipherment key usage, used by SSL 2.0 and RSA key exchange. Do not use this.

X509_PURPOSE_SMIME_SIGN validates S/MIME signing certificates. It checks for the id-kp-emailProtection EKU and one of digitalSignature or nonRepudiation key usages.

X509_PURPOSE_SMIME_ENCRYPT validates S/MIME encryption certificates. It checks for the id-kp-emailProtection EKU and keyEncipherment key usage.

X509_PURPOSE_CRL_SIGN validates indirect CRL signers. It checks for the cRLSign key usage. BoringSSL does not support indirect CRLs and does not use this mode.

X509_PURPOSE_ANY performs no EKU or key usage checks. Such checks are the responsibility of the caller.

X509_PURPOSE_OCSP_HELPER performs no EKU or key usage checks. It was historically used in OpenSSL's OCSP implementation, which left those checks to the OCSP implementation itself.

X509_PURPOSE_TIMESTAMP_SIGN validates Time Stamping Authority (RFC 3161) certificates. It checks for the id-kp-timeStamping EKU and one of digitalSignature or nonRepudiation key usages. It additionally checks that the EKU extension is critical and that no other EKUs or key usages are asserted.

X509_VERIFY_PARAM_set_purpose configures param to validate certificates for a specified purpose. It returns one on success and zero if purpose is not a valid purpose type. purpose should be one of the X509_PURPOSE_* values.

This option controls checking the extended key usage (EKU) and key usage extensions. These extensions specify how a certificate's public key may be used and are important to avoid cross-protocol attacks, particularly in PKIs that may issue certificates for multiple protocols, or for protocols that use keys in multiple ways. If not configured, these security checks are the caller's responsibility.

This library applies the EKU checks to all untrusted intermediates. Although not defined in RFC 5280, this matches widely-deployed practice. It also does not accept anyExtendedKeyUsage.

Many purpose values have a corresponding trust value, which is not configured by this function. See X509_VERIFY_PARAM_set_trust for details. Callers that wish to configure both should either call both functions, or use X509_STORE_CTX_set_purpose.

It is currently not possible to configure custom EKU OIDs or key usage bits. Contact the BoringSSL maintainers if your application needs to do so. OpenSSL had an X509_PURPOSE_add API, but it was not thread-safe and relied on global mutable state, so we removed it.

TODO(davidben): This function additionally configures checking the legacy Netscape certificate type extension. Remove this.

X509_TRUST_COMPAT evaluates trust using only the self-signed fallback. Trust and distrust OIDs are ignored.

X509_TRUST_SSL_CLIENT evaluates trust with the NID_client_auth OID, for validating TLS client certificates.

X509_TRUST_SSL_SERVER evaluates trust with the NID_server_auth OID, for validating TLS server certificates.

X509_TRUST_EMAIL evaluates trust with the NID_email_protect OID, for validating S/MIME email certificates.

X509_TRUST_OBJECT_SIGN evaluates trust with the NID_code_sign OID, for validating code signing certificates.

X509_TRUST_TSA evaluates trust with the NID_time_stamp OID, for validating Time Stamping Authority (RFC 3161) certificates.

X509_VERIFY_PARAM_set_trust configures which certificates from X509_STORE are trust anchors. It returns one on success and zero if trust is not a valid trust value. trust should be one of the X509_TRUST_* constants. This function allows applications to vary trust anchors when the same set of trusted certificates is used in multiple contexts.

Two properties determine whether a certificate is a trust anchor:

• Whether it is trusted or distrusted for some OID, via auxiliary information configured by X509_add1_trust_object or X509_add1_reject_object.
• Whether it is "self-signed". That is, whether X509_get_extension_flags includes EXFLAG_SS. The signature itself is not checked.

When this function is called, trust determines the OID to check in the first case. If the certificate is not explicitly trusted or distrusted for any OID, it is trusted if self-signed instead.

If unset, the default behavior is to check for the NID_anyExtendedKeyUsage OID. If the certificate is not explicitly trusted or distrusted for this OID, it is trusted if self-signed instead. Note this slightly differs from the above.

If the X509_V_FLAG_PARTIAL_CHAIN is set, every certificate from X509_STORE is a trust anchor, unless it was explicitly distrusted for the OID.

It is currently not possible to configure custom trust OIDs. Contact the BoringSSL maintainers if your application needs to do so. OpenSSL had an X509_TRUST_add API, but it was not thread-safe and relied on global mutable state, so we removed it.

X509_STORE_load_locations configures store to load data from filepaths file and dir. It returns one on success and zero on error. Either of file or dir may be NULL, but at least one must be non-NULL.

If file is non-NULL, it loads CRLs and trusted certificates in PEM format from the file at file, and them to store, as in X509_load_cert_crl_file with X509_FILETYPE_PEM.

If dir is non-NULL, it configures store to load CRLs and trusted certificates from the directory at dir in PEM format, as in X509_LOOKUP_add_dir with X509_FILETYPE_PEM.

X509_STORE_add_lookup returns an X509_LOOKUP associated with store with type method, or NULL on error. The result is owned by store, so callers are not expected to free it. This may be used with X509_LOOKUP_add_dir or X509_LOOKUP_load_file, depending on method, to configure store.

A single X509_LOOKUP may be configured with multiple paths, and an X509_STORE only contains one X509_LOOKUP of each type, so there is no need to call this function multiple times for a single type. Calling it multiple times will return the previous X509_LOOKUP of that type.

X509_LOOKUP_hash_dir creates X509_LOOKUPs that may be used with X509_LOOKUP_add_dir.

X509_LOOKUP_file creates X509_LOOKUPs that may be used with X509_LOOKUP_load_file.

Although this is modeled as an X509_LOOKUP, this function is redundant. It has the same effect as loading a certificate or CRL from the filesystem, in the caller's desired format, and then adding it with X509_STORE_add_cert and X509_STORE_add_crl.

The following constants are used to specify the format of files in an X509_LOOKUP.

X509_LOOKUP_load_file calls X509_load_cert_crl_file. lookup must have been constructed with X509_LOOKUP_file.

If type is X509_FILETYPE_DEFAULT, it ignores file and instead uses some default system path with X509_FILETYPE_PEM. See also X509_STORE_set_default_paths.

X509_LOOKUP_add_dir configures lookup to load CRLs and trusted certificates from the directories in path. It returns one on success and zero on error. lookup must have been constructed with X509_LOOKUP_hash_dir.

WARNING: path is interpreted as a colon-separated (semicolon-separated on Windows) list of paths. It is not possible to configure a path containing the separator character. https://crbug.com/boringssl/691 tracks removing this behavior.

type should be one of the X509_FILETYPE_* constants and determines the format of the files. If type is X509_FILETYPE_DEFAULT, path is ignored and some default system path is used with X509_FILETYPE_PEM. See also X509_STORE_set_default_paths.

Trusted certificates should be named HASH.N and CRLs should be named HASH.rN. HASH is X509_NAME_hash of the certificate subject and CRL issuer, respectively, in hexadecimal. N is in decimal and counts hash collisions consecutively, starting from zero. For example, "002c0b4f.0" and "002c0b4f.r0".

WARNING: Objects from path are loaded on demand, but cached in memory on the X509_STORE. If a CA is removed from the directory, existing X509_STOREs will continue to trust it. Cache entries are not evicted for the lifetime of the X509_STORE.

WARNING: This mechanism is also not well-suited for CRL updates. X509_STOREs rely on this cache and never load the same CRL file twice. CRL updates must use a new file, with an incremented suffix, to be reflected in existing X509_STOREs. However, this means each CRL update will use additional storage and memory. Instead, configure inputs that vary per verification, such as CRLs, on each X509_STORE_CTX separately, using functions like X509_STORE_CTX_set0_crl.

X509_L_* are commands for X509_LOOKUP_ctrl.

X509_LOOKUP_ctrl implements commands on lookup. cmd specifies the command. The other arguments specify the operation in a command-specific way. Use X509_LOOKUP_load_file or X509_LOOKUP_add_dir instead.

X509_load_cert_file loads trusted certificates from file and adds them to lookup's X509_STORE. It returns one on success and zero on error.

If type is X509_FILETYPE_ASN1, it loads a single DER-encoded certificate. If type is X509_FILETYPE_PEM, it loads a sequence of PEM-encoded certificates. type may not be X509_FILETYPE_DEFAULT.

X509_load_crl_file loads CRLs from file and add them it to lookup's X509_STORE. It returns one on success and zero on error.

If type is X509_FILETYPE_ASN1, it loads a single DER-encoded CRL. If type is X509_FILETYPE_PEM, it loads a sequence of PEM-encoded CRLs. type may not be X509_FILETYPE_DEFAULT.

X509_load_cert_crl_file loads CRLs and trusted certificates from file and adds them to lookup's X509_STORE. It returns one on success and zero on error.

If type is X509_FILETYPE_ASN1, it loads a single DER-encoded certificate. This function cannot be used to load a DER-encoded CRL. If type is X509_FILETYPE_PEM, it loads a sequence of PEM-encoded certificates and CRLs. type may not be X509_FILETYPE_DEFAULT.

X509_NAME_hash returns a hash of name, or zero on error. This is the new hash used by X509_LOOKUP_add_dir.

This hash is specific to the X509_LOOKUP_add_dir filesystem format and is not suitable for general-purpose X.509 name processing. It is very short, so there will be hash collisions. It also depends on an OpenSSL-specific canonicalization process.

TODO(https://crbug.com/boringssl/407): This should be const and thread-safe but currently is neither, notably if name was modified from its parsed value.

X509_NAME_hash_old returns a hash of name, or zero on error. This is the legacy hash used by X509_LOOKUP_add_dir, which is still supported for compatibility.

This hash is specific to the X509_LOOKUP_add_dir filesystem format and is not suitable for general-purpose X.509 name processing. It is very short, so there will be hash collisions.

TODO(https://crbug.com/boringssl/407): This should be const and thread-safe but currently is neither, notably if name was modified from its parsed value.

X509_STORE_set_default_paths configures store to read from some "default" filesystem paths. It returns one on success and zero on error. The filesystem paths are determined by a combination of hardcoded paths and the SSL_CERT_DIR and SSL_CERT_FILE environment variables.

Using this function is not recommended. In OpenSSL, these defaults are determined by OpenSSL's install prefix. There is no corresponding concept for BoringSSL. Future versions of BoringSSL may change or remove this functionality.

The following functions return filesystem paths used to determine the above "default" paths, when the corresponding environment variables are not set.

Using these functions is not recommended. In OpenSSL, these defaults are determined by OpenSSL's install prefix. There is no corresponding concept for BoringSSL. Future versions of BoringSSL may change or remove this functionality.

X509_get_default_cert_dir_env returns "SSL_CERT_DIR", an environment variable used to determine the above "default" paths.

X509_get_default_cert_file_env returns "SSL_CERT_FILE", an environment variable used to determine the above "default" paths.

A Netscape_spki_st, or NETSCAPE_SPKI, represents a SignedPublicKeyAndChallenge structure. Although this structure contains a spkac field of type NETSCAPE_SPKAC, these are misnamed. The SPKAC is the entire structure, not the signed portion.

NETSCAPE_SPKI_new returns a newly-allocated, empty NETSCAPE_SPKI object, or NULL on error.

NETSCAPE_SPKI_free releases memory associated with spki.

d2i_NETSCAPE_SPKI parses up to len bytes from *inp as a DER-encoded SignedPublicKeyAndChallenge structure, as described in d2i_SAMPLE.

i2d_NETSCAPE_SPKI marshals spki as a DER-encoded SignedPublicKeyAndChallenge structure, as described in i2d_SAMPLE.