Document X509_REVOKED-related functions
Also move a few functions into the correct sections.
Bug: 426
Change-Id: I81c4e65bd7f248251a2a85b9934abe500798532a
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63926
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 9e9adbd..2f9b5e5 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -217,6 +217,15 @@
const ASN1_BIT_STRING **out_issuer_uid,
const ASN1_BIT_STRING **out_subject_uid);
+// X509_get_pathlen returns path length constraint from the basic constraints
+// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the
+// constraint is not present, or if some extension in |x509| was invalid.
+//
+// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for
+// invalid extensions. To detect the error case, call
+// |X509_get_extensions_flags| and check the |EXFLAG_INVALID| bit.
+OPENSSL_EXPORT long X509_get_pathlen(X509 *x509);
+
// X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits
// it.
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions(
@@ -244,6 +253,14 @@
// compatibility, but callers should not mutate the result.
OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
+// X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in
+// |x509|'s extension list.
+//
+// WARNING: This function is difficult to use correctly. See the documentation
+// for |X509V3_get_d2i| for details.
+OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid,
+ int *out_critical, int *out_idx);
+
// X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s
// TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|.
//
@@ -347,6 +364,15 @@
// list.
OPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc);
+// X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to
+// |x|'s extension list.
+//
+// WARNING: This function may return zero or -1 on error. The caller must also
+// ensure |value|'s type matches |nid|. See the documentation for
+// |X509V3_add1_i2d| for details.
+OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
+ unsigned long flags);
+
// X509_sign signs |x509| with |pkey| and replaces the signature algorithm and
// signature fields. It returns the length of the signature on success and zero
// on error. This function uses digest algorithm |md|, or |pkey|'s default if
@@ -474,19 +500,22 @@
// Certificate revocation lists.
//
// An |X509_CRL| object represents an X.509 certificate revocation list (CRL),
-// defined in RFC 5280. A CRL is a signed list of certificates which are no
-// longer considered valid.
+// defined in RFC 5280. A CRL is a signed list of certificates, the
+// revokedCertificates field, which are no longer considered valid. Each entry
+// of this list is represented with an |X509_REVOKED| object, documented in the
+// "CRL entries" section below.
//
-// Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| can give
-// incorrect results. Callers typically obtain |X509_CRL|s by parsing some input
-// with |d2i_X509_CRL|, etc. Such objects carry information such as the
-// serialized TBSCertList and decoded extensions, which will become inconsistent
-// when mutated.
+// Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| or its
+// |X509_REVOKED|s can give incorrect results. Callers typically obtain
+// |X509_CRL|s by parsing some input with |d2i_X509_CRL|, etc. Such objects
+// carry information such as the serialized TBSCertList and decoded extensions,
+// which will become inconsistent when mutated.
//
// Instead, mutation functions should only be used when issuing new CRLs, as
// described in a later section.
DEFINE_STACK_OF(X509_CRL)
+DEFINE_STACK_OF(X509_REVOKED)
// X509_CRL is an |ASN1_ITEM| whose ASN.1 type is X.509 CertificateList (RFC
// 5280) and C type is |X509_CRL*|.
@@ -540,6 +569,28 @@
// const-correct for legacy reasons.
OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
+// X509_CRL_get0_by_serial finds the entry in |crl| whose serial number is
+// |serial|. If found, it sets |*out| to the entry. It then returns two if the
+// reason code is removeFromCRL and one if it was revoked. If not found, it
+// returns zero.
+//
+// On success, |*out| continues to be owned by |crl|. It is an error to free or
+// otherwise modify |*out|.
+//
+// TODO(crbug.com/boringssl/600): Ideally |crl| would be const. It is broadly
+// thread-safe, but changes the order of entries in |crl|. It cannot be called
+// concurrently with |i2d_X509_CRL|.
+//
+// TODO(crbug.com/boringssl/601): removeFromCRL is part of delta CRLs. Remove
+// this special case.
+OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **out,
+ const ASN1_INTEGER *serial);
+
+// X509_CRL_get0_by_cert behaves like |X509_CRL_get0_by_serial|, except it looks
+// for the entry that matches |x509|.
+OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **out,
+ X509 *x509);
+
// X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or
// NULL if |crl| omits it.
//
@@ -549,7 +600,9 @@
OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
// X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl|
-// omits it.
+// omits it. A CRL can have extensions on individual entries, which is
+// |X509_REVOKED_get0_extensions|, or on the overall CRL, which is this
+// function.
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(
const X509_CRL *crl);
@@ -576,6 +629,14 @@
// compatibility, but callers should not mutate the result.
OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
+// X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the
+// extension in |crl|'s extension list.
+//
+// WARNING: This function is difficult to use correctly. See the documentation
+// for |X509V3_get_d2i| for details.
+OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid,
+ int *out_critical, int *out_idx);
+
// X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and
// signature algorithm of |crl|, respectively. Either output pointer may be NULL
// to ignore the value.
@@ -637,6 +698,15 @@
// on success and zero on error.
OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm);
+// X509_CRL_add0_revoked adds |rev| to |crl|. On success, it takes ownership of
+// |rev| and returns one. On error, it returns zero. If this function fails, the
+// caller retains ownership of |rev| and must release it when done.
+OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
+
+// X509_CRL_sort sorts the entries in |crl| by serial number. It returns one on
+// success and zero on error.
+OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl);
+
// X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns
// the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the
// caller must release the result with |X509_EXTENSION_free|.
@@ -652,6 +722,15 @@
OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex,
int loc);
+// X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension
+// to |x|'s extension list.
+//
+// WARNING: This function may return zero or -1 on error. The caller must also
+// ensure |value|'s type matches |nid|. See the documentation for
+// |X509V3_add1_i2d| for details.
+OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value,
+ int crit, unsigned long flags);
+
// X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm
// and signature fields. It returns the length of the signature on success and
// zero on error. This function uses digest algorithm |md|, or |pkey|'s default
@@ -695,6 +774,128 @@
size_t sig_len);
+// CRL entries.
+//
+// Each entry of a CRL is represented as an |X509_REVOKED| object, which
+// describes a revoked certificate by serial number.
+//
+// When an |X509_REVOKED| is obtained from an |X509_CRL| object, it is an error
+// to mutate the object. Doing so may break |X509_CRL|'s and cause the library
+// to behave incorrectly.
+
+// X509_REVOKED is an |ASN1_ITEM| whose ASN.1 type is an element of the
+// revokedCertificates field of TBSCertList (RFC 5280) and C type is
+// |X509_REVOKED*|.
+DECLARE_ASN1_ITEM(X509_REVOKED)
+
+// X509_REVOKED_new returns a newly-allocated, empty |X509_REVOKED| object, or
+// NULL on allocation error.
+OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_new(void);
+
+// X509_REVOKED_free releases memory associated with |rev|.
+OPENSSL_EXPORT void X509_REVOKED_free(X509_REVOKED *rev);
+
+// d2i_X509_REVOKED parses up to |len| bytes from |*inp| as a DER-encoded X.509
+// CRL entry, as described in |d2i_SAMPLE|.
+OPENSSL_EXPORT X509_REVOKED *d2i_X509_REVOKED(X509_REVOKED **out,
+ const uint8_t **inp, long len);
+
+// i2d_X509_REVOKED marshals |alg| as a DER-encoded X.509 CRL entry, as
+// described in |i2d_SAMPLE|.
+OPENSSL_EXPORT int i2d_X509_REVOKED(const X509_REVOKED *alg, uint8_t **outp);
+
+// X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error.
+// This function works by serializing the structure, so if |rev| is incomplete,
+// it may fail.
+OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev);
+
+// X509_REVOKED_get0_serialNumber returns the serial number of the certificate
+// revoked by |revoked|.
+OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(
+ const X509_REVOKED *revoked);
+
+// X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It
+// returns one on success or zero on error.
+OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked,
+ const ASN1_INTEGER *serial);
+
+// X509_REVOKED_get0_revocationDate returns the revocation time of the
+// certificate revoked by |revoked|.
+OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate(
+ const X509_REVOKED *revoked);
+
+// X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It
+// returns one on success or zero on error.
+OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked,
+ const ASN1_TIME *tm);
+
+// X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r|
+// omits it. A CRL can have extensions on individual entries, which is this
+// function, or on the overall CRL, which is |X509_CRL_get0_extensions|.
+OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(
+ const X509_REVOKED *r);
+
+ // X509_REVOKED_get_ext_count returns the number of extensions in |x|.
+OPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x);
+
+// X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches
+// for extensions in |x|.
+OPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid,
+ int lastpos);
+
+// X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches
+// for extensions in |x|.
+OPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x,
+ const ASN1_OBJECT *obj,
+ int lastpos);
+
+// X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical|
+// but searches for extensions in |x|.
+OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x,
+ int crit, int lastpos);
+
+// X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if
+// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL
+// compatibility, but callers should not mutate the result.
+OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x,
+ int loc);
+
+// X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and
+// returns the removed extension, or NULL if |loc| was out of bounds. If
+// non-NULL, the caller must release the result with |X509_EXTENSION_free|.
+OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x,
+ int loc);
+
+// X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success
+// and zero on failure. The caller retains ownership of |ex| and can release it
+// independently of |x|.
+//
+// The new extension is inserted at index |loc|, shifting extensions to the
+// right. If |loc| is -1 or out of bounds, the new extension is appended to the
+// list.
+OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x,
+ const X509_EXTENSION *ex, int loc);
+
+// X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the
+// extension in |revoked|'s extension list.
+//
+// WARNING: This function is difficult to use correctly. See the documentation
+// for |X509V3_get_d2i| for details.
+OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked,
+ int nid, int *out_critical,
+ int *out_idx);
+
+// X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the
+// extension to |x|'s extension list.
+//
+// WARNING: This function may return zero or -1 on error. The caller must also
+// ensure |value|'s type matches |nid|. See the documentation for
+// |X509V3_add1_i2d| for details.
+OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid,
+ void *value, int crit,
+ unsigned long flags);
+
+
// Certificate requests.
//
// An |X509_REQ| represents a PKCS #10 certificate request (RFC 2986). These are
@@ -2216,8 +2417,6 @@
#define X509_TRUST_REJECTED 2
#define X509_TRUST_UNTRUSTED 3
-DEFINE_STACK_OF(X509_REVOKED)
-
DECLARE_STACK_OF(GENERAL_NAMES)
struct private_key_st {
@@ -2251,15 +2450,6 @@
DEFINE_STACK_OF(X509_INFO)
-// X509_get_pathlen returns path length constraint from the basic constraints
-// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the
-// constraint is not present, or if some extension in |x509| was invalid.
-//
-// Note that decoding an |X509| object will not check for invalid extensions. To
-// detect the error case, call |X509_get_extensions_flags| and check the
-// |EXFLAG_INVALID| bit.
-OPENSSL_EXPORT long X509_get_pathlen(X509 *x509);
-
// X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to
// |sig|'s algorithm and digest fields, respectively. Either |out_alg| and
// |out_digest| may be NULL to skip those fields.
@@ -2276,11 +2466,6 @@
// a default description.
OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err);
-// X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error.
-// This function works by serializing the structure, so if |rev| is incomplete,
-// it may fail.
-OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev);
-
OPENSSL_EXPORT const char *X509_get_default_cert_area(void);
OPENSSL_EXPORT const char *X509_get_default_cert_dir(void);
OPENSSL_EXPORT const char *X509_get_default_cert_file(void);
@@ -2306,14 +2491,6 @@
OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust);
-DECLARE_ASN1_FUNCTIONS_const(X509_REVOKED)
-
-OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
-OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret,
- ASN1_INTEGER *serial);
-OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret,
- X509 *x);
-
OPENSSL_EXPORT X509_PKEY *X509_PKEY_new(void);
OPENSSL_EXPORT void X509_PKEY_free(X509_PKEY *a);
@@ -2341,33 +2518,6 @@
ASN1_BIT_STRING *signature, void *asn,
EVP_MD_CTX *ctx);
-OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl);
-
-// X509_REVOKED_get0_serialNumber returns the serial number of the certificate
-// revoked by |revoked|.
-OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(
- const X509_REVOKED *revoked);
-
-// X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It
-// returns one on success or zero on error.
-OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked,
- const ASN1_INTEGER *serial);
-
-// X509_REVOKED_get0_revocationDate returns the revocation time of the
-// certificate revoked by |revoked|.
-OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate(
- const X509_REVOKED *revoked);
-
-// X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It
-// returns one on success or zero on error.
-OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked,
- const ASN1_TIME *tm);
-
-// X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r|
-// omits it.
-OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(
- const X509_REVOKED *r);
-
OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
EVP_PKEY *skey, const EVP_MD *md,
unsigned int flags);
@@ -2393,100 +2543,6 @@
OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
-// X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in
-// |x509|'s extension list.
-//
-// WARNING: This function is difficult to use correctly. See the documentation
-// for |X509V3_get_d2i| for details.
-OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid,
- int *out_critical, int *out_idx);
-
-// X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to
-// |x|'s extension list.
-//
-// WARNING: This function may return zero or -1 on error. The caller must also
-// ensure |value|'s type matches |nid|. See the documentation for
-// |X509V3_add1_i2d| for details.
-OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
- unsigned long flags);
-
-// X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the
-// extension in |crl|'s extension list.
-//
-// WARNING: This function is difficult to use correctly. See the documentation
-// for |X509V3_get_d2i| for details.
-OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid,
- int *out_critical, int *out_idx);
-
-// X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension
-// to |x|'s extension list.
-//
-// WARNING: This function may return zero or -1 on error. The caller must also
-// ensure |value|'s type matches |nid|. See the documentation for
-// |X509V3_add1_i2d| for details.
-OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value,
- int crit, unsigned long flags);
-
-// X509_REVOKED_get_ext_count returns the number of extensions in |x|.
-OPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x);
-
-// X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches
-// for extensions in |x|.
-OPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid,
- int lastpos);
-
-// X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches
-// for extensions in |x|.
-OPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x,
- const ASN1_OBJECT *obj,
- int lastpos);
-
-// X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical|
-// but searches for extensions in |x|.
-OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x,
- int crit, int lastpos);
-
-// X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if
-// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL
-// compatibility, but callers should not mutate the result.
-OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x,
- int loc);
-
-// X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and
-// returns the removed extension, or NULL if |loc| was out of bounds. If
-// non-NULL, the caller must release the result with |X509_EXTENSION_free|.
-OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x,
- int loc);
-
-// X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success
-// and zero on failure. The caller retains ownership of |ex| and can release it
-// independently of |x|.
-//
-// The new extension is inserted at index |loc|, shifting extensions to the
-// right. If |loc| is -1 or out of bounds, the new extension is appended to the
-// list.
-OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x,
- const X509_EXTENSION *ex, int loc);
-
-// X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the
-// extension in |revoked|'s extension list.
-//
-// WARNING: This function is difficult to use correctly. See the documentation
-// for |X509V3_get_d2i| for details.
-OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked,
- int nid, int *out_critical,
- int *out_idx);
-
-// X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the
-// extension to |x|'s extension list.
-//
-// WARNING: This function may return zero or -1 on error. The caller must also
-// ensure |value|'s type matches |nid|. See the documentation for
-// |X509V3_add1_i2d| for details.
-OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid,
- void *value, int crit,
- unsigned long flags);
-
OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx);
// PKCS#8 utilities
