1*2175Sjp161948=pod 2*2175Sjp161948 3*2175Sjp161948=head1 NAME 4*2175Sjp161948 5*2175Sjp161948d2i_X509, i2d_X509, d2i_X509_bio, d2i_X509_fp, i2d_X509_bio, 6*2175Sjp161948i2d_X509_fp - X509 encode and decode functions 7*2175Sjp161948 8*2175Sjp161948=head1 SYNOPSIS 9*2175Sjp161948 10*2175Sjp161948 #include <openssl/x509.h> 11*2175Sjp161948 12*2175Sjp161948 X509 *d2i_X509(X509 **px, const unsigned char **in, int len); 13*2175Sjp161948 int i2d_X509(X509 *x, unsigned char **out); 14*2175Sjp161948 15*2175Sjp161948 X509 *d2i_X509_bio(BIO *bp, X509 **x); 16*2175Sjp161948 X509 *d2i_X509_fp(FILE *fp, X509 **x); 17*2175Sjp161948 18*2175Sjp161948 int i2d_X509_bio(X509 *x, BIO *bp); 19*2175Sjp161948 int i2d_X509_fp(X509 *x, FILE *fp); 20*2175Sjp161948 21*2175Sjp161948=head1 DESCRIPTION 22*2175Sjp161948 23*2175Sjp161948The X509 encode and decode routines encode and parse an 24*2175Sjp161948B<X509> structure, which represents an X509 certificate. 25*2175Sjp161948 26*2175Sjp161948d2i_X509() attempts to decode B<len> bytes at B<*in>. If 27*2175Sjp161948successful a pointer to the B<X509> structure is returned. If an error 28*2175Sjp161948occurred then B<NULL> is returned. If B<px> is not B<NULL> then the 29*2175Sjp161948returned structure is written to B<*px>. If B<*px> is not B<NULL> 30*2175Sjp161948then it is assumed that B<*px> contains a valid B<X509> 31*2175Sjp161948structure and an attempt is made to reuse it. If the call is 32*2175Sjp161948successful B<*in> is incremented to the byte following the 33*2175Sjp161948parsed data. 34*2175Sjp161948 35*2175Sjp161948i2d_X509() encodes the structure pointed to by B<x> into DER format. 36*2175Sjp161948If B<out> is not B<NULL> is writes the DER encoded data to the buffer 37*2175Sjp161948at B<*out>, and increments it to point after the data just written. 38*2175Sjp161948If the return value is negative an error occurred, otherwise it 39*2175Sjp161948returns the length of the encoded data. 40*2175Sjp161948 41*2175Sjp161948For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be 42*2175Sjp161948allocated for a buffer and the encoded data written to it. In this 43*2175Sjp161948case B<*out> is not incremented and it points to the start of the 44*2175Sjp161948data just written. 45*2175Sjp161948 46*2175Sjp161948d2i_X509_bio() is similar to d2i_X509() except it attempts 47*2175Sjp161948to parse data from BIO B<bp>. 48*2175Sjp161948 49*2175Sjp161948d2i_X509_fp() is similar to d2i_X509() except it attempts 50*2175Sjp161948to parse data from FILE pointer B<fp>. 51*2175Sjp161948 52*2175Sjp161948i2d_X509_bio() is similar to i2d_X509() except it writes 53*2175Sjp161948the encoding of the structure B<x> to BIO B<bp> and it 54*2175Sjp161948returns 1 for success and 0 for failure. 55*2175Sjp161948 56*2175Sjp161948i2d_X509_fp() is similar to i2d_X509() except it writes 57*2175Sjp161948the encoding of the structure B<x> to BIO B<bp> and it 58*2175Sjp161948returns 1 for success and 0 for failure. 59*2175Sjp161948 60*2175Sjp161948=head1 NOTES 61*2175Sjp161948 62*2175Sjp161948The letters B<i> and B<d> in for example B<i2d_X509> stand for 63*2175Sjp161948"internal" (that is an internal C structure) and "DER". So that 64*2175Sjp161948B<i2d_X509> converts from internal to DER. 65*2175Sjp161948 66*2175Sjp161948The functions can also understand B<BER> forms. 67*2175Sjp161948 68*2175Sjp161948The actual X509 structure passed to i2d_X509() must be a valid 69*2175Sjp161948populated B<X509> structure it can B<not> simply be fed with an 70*2175Sjp161948empty structure such as that returned by X509_new(). 71*2175Sjp161948 72*2175Sjp161948The encoded data is in binary form and may contain embedded zeroes. 73*2175Sjp161948Therefore any FILE pointers or BIOs should be opened in binary mode. 74*2175Sjp161948Functions such as B<strlen()> will B<not> return the correct length 75*2175Sjp161948of the encoded structure. 76*2175Sjp161948 77*2175Sjp161948The ways that B<*in> and B<*out> are incremented after the operation 78*2175Sjp161948can trap the unwary. See the B<WARNINGS> section for some common 79*2175Sjp161948errors. 80*2175Sjp161948 81*2175Sjp161948The reason for the auto increment behaviour is to reflect a typical 82*2175Sjp161948usage of ASN1 functions: after one structure is encoded or decoded 83*2175Sjp161948another will processed after it. 84*2175Sjp161948 85*2175Sjp161948=head1 EXAMPLES 86*2175Sjp161948 87*2175Sjp161948Allocate and encode the DER encoding of an X509 structure: 88*2175Sjp161948 89*2175Sjp161948 int len; 90*2175Sjp161948 unsigned char *buf, *p; 91*2175Sjp161948 92*2175Sjp161948 len = i2d_X509(x, NULL); 93*2175Sjp161948 94*2175Sjp161948 buf = OPENSSL_malloc(len); 95*2175Sjp161948 96*2175Sjp161948 if (buf == NULL) 97*2175Sjp161948 /* error */ 98*2175Sjp161948 99*2175Sjp161948 p = buf; 100*2175Sjp161948 101*2175Sjp161948 i2d_X509(x, &p); 102*2175Sjp161948 103*2175Sjp161948If you are using OpenSSL 0.9.7 or later then this can be 104*2175Sjp161948simplified to: 105*2175Sjp161948 106*2175Sjp161948 107*2175Sjp161948 int len; 108*2175Sjp161948 unsigned char *buf; 109*2175Sjp161948 110*2175Sjp161948 buf = NULL; 111*2175Sjp161948 112*2175Sjp161948 len = i2d_X509(x, &buf); 113*2175Sjp161948 114*2175Sjp161948 if (len < 0) 115*2175Sjp161948 /* error */ 116*2175Sjp161948 117*2175Sjp161948Attempt to decode a buffer: 118*2175Sjp161948 119*2175Sjp161948 X509 *x; 120*2175Sjp161948 121*2175Sjp161948 unsigned char *buf, *p; 122*2175Sjp161948 123*2175Sjp161948 int len; 124*2175Sjp161948 125*2175Sjp161948 /* Something to setup buf and len */ 126*2175Sjp161948 127*2175Sjp161948 p = buf; 128*2175Sjp161948 129*2175Sjp161948 x = d2i_X509(NULL, &p, len); 130*2175Sjp161948 131*2175Sjp161948 if (x == NULL) 132*2175Sjp161948 /* Some error */ 133*2175Sjp161948 134*2175Sjp161948Alternative technique: 135*2175Sjp161948 136*2175Sjp161948 X509 *x; 137*2175Sjp161948 138*2175Sjp161948 unsigned char *buf, *p; 139*2175Sjp161948 140*2175Sjp161948 int len; 141*2175Sjp161948 142*2175Sjp161948 /* Something to setup buf and len */ 143*2175Sjp161948 144*2175Sjp161948 p = buf; 145*2175Sjp161948 146*2175Sjp161948 x = NULL; 147*2175Sjp161948 148*2175Sjp161948 if(!d2i_X509(&x, &p, len)) 149*2175Sjp161948 /* Some error */ 150*2175Sjp161948 151*2175Sjp161948 152*2175Sjp161948=head1 WARNINGS 153*2175Sjp161948 154*2175Sjp161948The use of temporary variable is mandatory. A common 155*2175Sjp161948mistake is to attempt to use a buffer directly as follows: 156*2175Sjp161948 157*2175Sjp161948 int len; 158*2175Sjp161948 unsigned char *buf; 159*2175Sjp161948 160*2175Sjp161948 len = i2d_X509(x, NULL); 161*2175Sjp161948 162*2175Sjp161948 buf = OPENSSL_malloc(len); 163*2175Sjp161948 164*2175Sjp161948 if (buf == NULL) 165*2175Sjp161948 /* error */ 166*2175Sjp161948 167*2175Sjp161948 i2d_X509(x, &buf); 168*2175Sjp161948 169*2175Sjp161948 /* Other stuff ... */ 170*2175Sjp161948 171*2175Sjp161948 OPENSSL_free(buf); 172*2175Sjp161948 173*2175Sjp161948This code will result in B<buf> apparently containing garbage because 174*2175Sjp161948it was incremented after the call to point after the data just written. 175*2175Sjp161948Also B<buf> will no longer contain the pointer allocated by B<OPENSSL_malloc()> 176*2175Sjp161948and the subsequent call to B<OPENSSL_free()> may well crash. 177*2175Sjp161948 178*2175Sjp161948The auto allocation feature (setting buf to NULL) only works on OpenSSL 179*2175Sjp1619480.9.7 and later. Attempts to use it on earlier versions will typically 180*2175Sjp161948cause a segmentation violation. 181*2175Sjp161948 182*2175Sjp161948Another trap to avoid is misuse of the B<xp> argument to B<d2i_X509()>: 183*2175Sjp161948 184*2175Sjp161948 X509 *x; 185*2175Sjp161948 186*2175Sjp161948 if (!d2i_X509(&x, &p, len)) 187*2175Sjp161948 /* Some error */ 188*2175Sjp161948 189*2175Sjp161948This will probably crash somewhere in B<d2i_X509()>. The reason for this 190*2175Sjp161948is that the variable B<x> is uninitialized and an attempt will be made to 191*2175Sjp161948interpret its (invalid) value as an B<X509> structure, typically causing 192*2175Sjp161948a segmentation violation. If B<x> is set to NULL first then this will not 193*2175Sjp161948happen. 194*2175Sjp161948 195*2175Sjp161948=head1 BUGS 196*2175Sjp161948 197*2175Sjp161948In some versions of OpenSSL the "reuse" behaviour of d2i_X509() when 198*2175Sjp161948B<*px> is valid is broken and some parts of the reused structure may 199*2175Sjp161948persist if they are not present in the new one. As a result the use 200*2175Sjp161948of this "reuse" behaviour is strongly discouraged. 201*2175Sjp161948 202*2175Sjp161948i2d_X509() will not return an error in many versions of OpenSSL, 203*2175Sjp161948if mandatory fields are not initialized due to a programming error 204*2175Sjp161948then the encoded structure may contain invalid data or omit the 205*2175Sjp161948fields entirely and will not be parsed by d2i_X509(). This may be 206*2175Sjp161948fixed in future so code should not assume that i2d_X509() will 207*2175Sjp161948always succeed. 208*2175Sjp161948 209*2175Sjp161948=head1 RETURN VALUES 210*2175Sjp161948 211*2175Sjp161948d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure 212*2175Sjp161948or B<NULL> if an error occurs. The error code that can be obtained by 213*2175Sjp161948L<ERR_get_error(3)|ERR_get_error(3)>. 214*2175Sjp161948 215*2175Sjp161948i2d_X509(), i2d_X509_bio() and i2d_X509_fp() return a the number of bytes 216*2175Sjp161948successfully encoded or a negative value if an error occurs. The error code 217*2175Sjp161948can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. 218*2175Sjp161948 219*2175Sjp161948i2d_X509_bio() and i2d_X509_fp() returns 1 for success and 0 if an error 220*2175Sjp161948occurs The error code can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. 221*2175Sjp161948 222*2175Sjp161948=head1 SEE ALSO 223*2175Sjp161948 224*2175Sjp161948L<ERR_get_error(3)|ERR_get_error(3)> 225*2175Sjp161948 226*2175Sjp161948=head1 HISTORY 227*2175Sjp161948 228*2175Sjp161948d2i_X509, i2d_X509, d2i_X509_bio, d2i_X509_fp, i2d_X509_bio and i2d_X509_fp 229*2175Sjp161948are available in all versions of SSLeay and OpenSSL. 230*2175Sjp161948 231*2175Sjp161948=cut 232