From: Dr. Stephen Henson Date: Tue, 1 Sep 2015 17:56:58 +0000 (+0100) Subject: Document extension functions X-Git-Tag: OpenSSL_1_1_0-pre1~744 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=361136f4b39de26edcc275f8fe1471bcb90feb64;p=openssl Document extension functions Reviewed-by: Rich Salz --- diff --git a/doc/crypto/X509_get_extension_flags.pod b/doc/crypto/X509_get_extension_flags.pod new file mode 100644 index 0000000000..2950bd784c --- /dev/null +++ b/doc/crypto/X509_get_extension_flags.pod @@ -0,0 +1,115 @@ +=pod + +=head1 NAME + +X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage - +retrieve certificate extension flags. + +=head1 SYNOPSIS + + #include + + uint32_t X509_get_extension_flags(X509 *x); + uint32_t X509_get_key_usage(X509 *x); + uint32_t X509_get_extended_key_usage(X509 *x); + +=head1 DESCRIPTION + +These functions retrieve flags related to commonly used certificate extensions. + +X509_get_extension_flags() retrieves general information about a certificate, +it will return one or more of the following flags ored together. + +=over 4 + +=item B + +The certificate is an obsolete version 1 certificate. + +=item B + +The certificate contains a basic constraints extension. + +=item B + +The certificate contains basic constraints and asserts the CA flag. + +=item B + +The certificate is a valid proxy certificate. + +=item B + +The certificate is self issued (that is subject and issuer names match). + +=item B + +The subject and issuer names match and extension values imply it is self +signed. + +=item B + +The freshest CRL extension is present in the certificate. + +=item B + +The certificate contains an unhandled critical extension. + +=item B + +Some certificate extension values are invalid or inconsistent. The +certificate should be rejected. + +=item B + +The certificate contains a key usage extension. The value can be retrieved +using X509_get_key_usage(). + +=item B + +The certificate contains an extended key usage extension. The value can be +retrieved using X509_get_extended_key_usage(). + +=back + +X509_get_key_usage() returns the value of the key usage extension. If key +usage is present will return zero or more of the flags: +B, B, B, +B, B, B, +B, B or B corresponding to +individual key usage bits. If key usage is absent then B is +returned. + +X509_get_extended_key_usage() returns the value of the extended key usage +extension. If extended key usage is present it will return zero or more of the +flags: B, B, B, B +B, B, B or B. These +correspond to the OIDs B, B, +B, B, B, +B, B and B respectively. +Additionally B is set if either Netscape or Microsoft SGC OIDs are +present. + +=head1 NOTES + +The value of the flags correspond to extension values which are cached +in the B structure. If the flags returned do not provide sufficient +information an application should examine extension values directly. + +If the key usage or extended key usage extension is absent then typically usage +is unrestricted. For this reason X509_get_key_usage() and +X509_get_extended_key_usage() return B when the corresponding +extension is absent. Applications can additionally check the return value of +X509_get_extension_flags() and take appropriate action is an extension is +absent. + +=head1 RETURN VALUE + +These functions all return sets of flags corresponding to the certificate +extension values. + +=head1 SEE ALSO + +L + +=cut