NAME

X509V3_EXT_print — pretty-print an X.509 extension

SYNOPSIS

#include <openssl/x509v3.h> int
X509V3_EXT_print(BIO *bio, X509_EXTENSION *ext, unsigned long flags, int indent);

DESCRIPTION

X509V3_EXT_print() decodes ext and prints the data contained in it to bio in a human-readable format with a left margin of indent space characters. The details of both the decoding and the printing depend on the type of ext. For most extension types, the decoding is done in the same way as it would be done by the appropriate public API function, for example:

extension type

decoding function

NID_subject_key_identifier

d2i_ASN1_OCTET_STRING(3)

NID_key_usage

d2i_ASN1_BIT_STRING(3)

NID_crl_number

d2i_ASN1_INTEGER(3)

NID_crl_reason

d2i_ASN1_ENUMERATED(3)

NID_invalidity_date

d2i_ASN1_GENERALIZEDTIME(3)

NID_subject_alt_name

d2i_GENERAL_NAMES(3)

NID_hold_instruction_code

d2i_ASN1_OBJECT(3)

NID_id_pkix_OCSP_noCheck

d2i_ASN1_NULL(3)

NID_authority_key_identifier

d2i_AUTHORITY_KEYID(3)

NID_certificate_policies

d2i_CERTIFICATEPOLICIES(3)

NID_id_pkix_OCSP_CrlID

d2i_OCSP_CRLID(3)

NID_id_pkix_OCSP_Nonce

non-public function built into the library

For some types, the printing is performed by a dedicated non-public function built into the library. For some other types, the printing function is a public API function, but none of these printing functions are documented yet. If ext is of an unknown extension type or if decoding fails while using the decoding function for the relevant type, the action taken depends on the flags argument:

• If the bit X509V3_EXT_PARSE_UNKNOWN is set, ASN1_parse_dump(3) is called on the BER-encoded data of the extension, passing -1 for the dump argument. Thus, some information about the encoding of the extension gets printed and some about its decoded content, falling back to BIO_dump_indent(3) for the decoded content unless a dedicated printing method is known for the respective data type(s). Note that even if an extension type is unknown, the data type used by the unknown extension, or, if that data type is constructed, of the values contained in it, may still be known, which may allow printing the content of even an unknown extension in a structured or partially structured form.
• If the bit X509V3_EXT_DUMP_UNKNOWN is set, BIO_dump_indent(3) is called on the BER-encoded data of the extension without decoding it first, which is usually less readable than the above but poses a smaller risk of omitting or misrepresenting parts of the information.
• If the bit X509V3_EXT_ERROR_UNKNOWN is set, only the fixed string “<Not Supported>” is printed for an unknown type or only the fixed string “<Parse Error>” if the parsing functions fails, but printing is considered as successful anyway.
• If more than one of these three bits is set, or if a bit in X509V3_EXT_UNKNOWN_MASK is set that is not listed above, nothing is printed, but printing is considered as successful anyway.
• If none of the bits in X509V3_EXT_UNKNOWN_MASK are set, nothing is printed and printing is considered as failed.

RETURN VALUES

X509V3_EXT_print() returns 0 if failure was both detected and considered relevant. Otherwise, 1 is returned, and in general the user cannot tell whether failure simply went undetected, whether the function detected failure but regarded it as irrelevant, or whether printing did indeed succeed.

SEE ALSO

BIO_new(3), X509_EXTENSION_new(3), X509_get0_extensions(3), X509_get_ext(3), X509V3_extensions_print(3)

HISTORY

X509V3_EXT_print() first appeared in OpenSSL 0.9.2 and has been available since OpenBSD 2.6.

BUGS

X509V3_EXT_print() lacks error handling throughout. When a write operation fails, it will usually ignore the fact that information was omitted from the output and report success to the caller anyway.