From: Dr. Stephen Henson Date: Fri, 19 Aug 2016 11:39:57 +0000 (+0100) Subject: Constify certificate and CRL time routines. X-Git-Tag: OpenSSL_1_1_0~114 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=568ce3a583a17c33feacbf5028ece9f7f0680478;p=oweals%2Fopenssl.git Constify certificate and CRL time routines. Update certificate and CRL time routines to match new standard. Reviewed-by: Rich Salz --- diff --git a/apps/apps.c b/apps/apps.c index 1ce632f003..23c65698ff 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2604,7 +2604,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, goto err; } - if (!X509_set_notBefore(x, tm)) + if (!X509_set1_notBefore(x, tm)) goto err; if (enddate == NULL) { @@ -2614,7 +2614,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, goto err; } - if (!X509_set_notAfter(x, tm)) + if (!X509_set1_notAfter(x, tm)) goto err; rv = 1; diff --git a/apps/ca.c b/apps/ca.c index ef61de2eef..3db3f99640 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1100,13 +1100,13 @@ end_of_options: if (tmptm == NULL) goto end; X509_gmtime_adj(tmptm, 0); - X509_CRL_set_lastUpdate(crl, tmptm); + X509_CRL_set1_lastUpdate(crl, tmptm); if (!X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec, NULL)) { BIO_puts(bio_err, "error setting CRL nextUpdate\n"); goto end; } - X509_CRL_set_nextUpdate(crl, tmptm); + X509_CRL_set1_nextUpdate(crl, tmptm); ASN1_TIME_free(tmptm); @@ -1377,7 +1377,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, { X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL; - ASN1_UTCTIME *tm; + const ASN1_TIME *tm; ASN1_STRING *str, *str2; ASN1_OBJECT *obj; X509 *ret = NULL; @@ -1703,7 +1703,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (enddate != NULL) { int tdays; - ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret)); + ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret)); days = tdays; } @@ -1789,7 +1789,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, } BIO_printf(bio_err, "Certificate is to be certified until "); - ASN1_TIME_print(bio_err, X509_get_notAfter(ret)); + ASN1_TIME_print(bio_err, X509_get0_notAfter(ret)); if (days) BIO_printf(bio_err, " (%ld days)", days); BIO_printf(bio_err, "\n"); @@ -1822,7 +1822,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* We now just add it to the database */ row[DB_type] = OPENSSL_strdup("V"); - tm = X509_get_notAfter(ret); + tm = X509_get0_notAfter(ret); row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate"); memcpy(row[DB_exp_date], tm->data, tm->length); row[DB_exp_date][tm->length] = '\0'; @@ -2021,7 +2021,7 @@ static int check_time_format(const char *str) static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) { - ASN1_UTCTIME *tm = NULL; + const ASN1_TIME *tm = NULL; char *row[DB_NUMBER], **rrow, **irow; char *rev_str = NULL; BIGNUM *bn = NULL; @@ -2054,7 +2054,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) /* We now just add it to the database */ row[DB_type] = OPENSSL_strdup("V"); - tm = X509_get_notAfter(x509); + tm = X509_get0_notAfter(x509); row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data"); memcpy(row[DB_exp_date], tm->data, tm->length); row[DB_exp_date][tm->length] = '\0'; diff --git a/apps/crl.c b/apps/crl.c index 3dbbc0cda2..5e0fbe5899 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -285,13 +285,13 @@ int crl_main(int argc, char **argv) #endif if (lastupdate == i) { BIO_printf(bio_out, "lastUpdate="); - ASN1_TIME_print(bio_out, X509_CRL_get_lastUpdate(x)); + ASN1_TIME_print(bio_out, X509_CRL_get0_lastUpdate(x)); BIO_printf(bio_out, "\n"); } if (nextupdate == i) { BIO_printf(bio_out, "nextUpdate="); - if (X509_CRL_get_nextUpdate(x)) - ASN1_TIME_print(bio_out, X509_CRL_get_nextUpdate(x)); + if (X509_CRL_get0_nextUpdate(x)) + ASN1_TIME_print(bio_out, X509_CRL_get0_nextUpdate(x)); else BIO_printf(bio_out, "NONE"); BIO_printf(bio_out, "\n"); diff --git a/apps/s_cb.c b/apps/s_cb.c index e960b9469b..9535f12690 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -82,13 +82,13 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: BIO_printf(bio_err, "notBefore="); - ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert)); + ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert)); BIO_printf(bio_err, "\n"); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: BIO_printf(bio_err, "notAfter="); - ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert)); + ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert)); BIO_printf(bio_err, "\n"); break; case X509_V_ERR_NO_EXPLICIT_POLICY: diff --git a/apps/x509.c b/apps/x509.c index 0cb38b796a..05aa5547cd 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -746,11 +746,11 @@ int x509_main(int argc, char **argv) X509_print_ex(out, x, nmflag, certflag); } else if (startdate == i) { BIO_puts(out, "notBefore="); - ASN1_TIME_print(out, X509_get_notBefore(x)); + ASN1_TIME_print(out, X509_get0_notBefore(x)); BIO_puts(out, "\n"); } else if (enddate == i) { BIO_puts(out, "notAfter="); - ASN1_TIME_print(out, X509_get_notAfter(x)); + ASN1_TIME_print(out, X509_get0_notAfter(x)); BIO_puts(out, "\n"); } else if (fingerprint == i) { int j; @@ -837,7 +837,7 @@ int x509_main(int argc, char **argv) if (checkend) { time_t tcheck = time(NULL) + checkoffset; - if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) { + if (X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0) { BIO_printf(out, "Certificate will expire\n"); ret = 1; } else { diff --git a/crypto/x509/t_crl.c b/crypto/x509/t_crl.c index 2451ee72db..de0320d075 100644 --- a/crypto/x509/t_crl.c +++ b/crypto/x509/t_crl.c @@ -51,10 +51,10 @@ int X509_CRL_print(BIO *out, X509_CRL *x) BIO_printf(out, "%8sIssuer: %s\n", "", p); OPENSSL_free(p); BIO_printf(out, "%8sLast Update: ", ""); - ASN1_TIME_print(out, X509_CRL_get_lastUpdate(x)); + ASN1_TIME_print(out, X509_CRL_get0_lastUpdate(x)); BIO_printf(out, "\n%8sNext Update: ", ""); - if (X509_CRL_get_nextUpdate(x)) - ASN1_TIME_print(out, X509_CRL_get_nextUpdate(x)); + if (X509_CRL_get0_nextUpdate(x)) + ASN1_TIME_print(out, X509_CRL_get0_nextUpdate(x)); else BIO_printf(out, "NONE"); BIO_printf(out, "\n"); diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 5d7c130d46..feeff754c3 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -129,11 +129,11 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, goto err; if (BIO_write(bp, " Not Before: ", 24) <= 0) goto err; - if (!ASN1_TIME_print(bp, X509_get_notBefore(x))) + if (!ASN1_TIME_print(bp, X509_get0_notBefore(x))) goto err; if (BIO_write(bp, "\n Not After : ", 25) <= 0) goto err; - if (!ASN1_TIME_print(bp, X509_get_notAfter(x))) + if (!ASN1_TIME_print(bp, X509_get0_notAfter(x))) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index 3cebf6ef3b..8bf367b645 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -71,14 +71,14 @@ int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm) return (in != NULL); } -int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) +int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm) { if (x == NULL) return 0; return x509_set1_time(&x->cert_info.validity.notBefore, tm); } -int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) +int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm) { if (x == NULL) return 0; @@ -109,7 +109,18 @@ long X509_get_version(const X509 *x) return ASN1_INTEGER_get(x->cert_info.version); } -ASN1_TIME * X509_get_notBefore(const X509 *x) +const ASN1_TIME *X509_get0_notBefore(const X509 *x) +{ + return x->cert_info.validity.notBefore; +} + +const ASN1_TIME *X509_get0_notAfter(const X509 *x) +{ + return x->cert_info.validity.notAfter; +} + +#if OPENSSL_API_COMPAT < 0x10100000L +ASN1_TIME *X509_get_notBefore(const X509 *x) { return x->cert_info.validity.notBefore; } @@ -118,6 +129,7 @@ ASN1_TIME *X509_get_notAfter(const X509 *x) { return x->cert_info.validity.notAfter; } +#endif int X509_get_signature_type(const X509 *x) { diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 36baeacb9d..13a9ba3c38 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -921,7 +921,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) else ptime = NULL; - i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); + i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime); if (i == 0) { if (!notify) return 0; @@ -936,8 +936,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) return 0; } - if (X509_CRL_get_nextUpdate(crl)) { - i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); + if (X509_CRL_get0_nextUpdate(crl)) { + i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime); if (i == 0) { if (!notify) @@ -979,8 +979,8 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, /* If current CRL is equivalent use it if it is newer */ if (crl_score == best_score) { int day, sec; - if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl), - X509_CRL_get_lastUpdate(crl)) == 0) + if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl), + X509_CRL_get0_lastUpdate(crl)) == 0) continue; /* * ASN1_TIME_diff never returns inconsistent signs for |day| @@ -1646,7 +1646,7 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) else ptime = NULL; - i = X509_cmp_time(X509_get_notBefore(x), ptime); + i = X509_cmp_time(X509_get0_notBefore(x), ptime); if (i >= 0 && depth < 0) return 0; if (i == 0 && !verify_cb_cert(ctx, x, depth, @@ -1655,7 +1655,7 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID)) return 0; - i = X509_cmp_time(X509_get_notAfter(x), ptime); + i = X509_cmp_time(X509_get0_notAfter(x), ptime); if (i <= 0 && depth < 0) return 0; if (i == 0 && !verify_cb_cert(ctx, x, depth, @@ -1983,9 +1983,9 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) goto memerr; - if (!X509_CRL_set_lastUpdate(crl, X509_CRL_get_lastUpdate(newer))) + if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) goto memerr; - if (!X509_CRL_set_nextUpdate(crl, X509_CRL_get_nextUpdate(newer))) + if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) goto memerr; /* Set base CRL number: must be critical */ diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c index 681c43812a..205785961b 100644 --- a/crypto/x509/x509cset.c +++ b/crypto/x509/x509cset.c @@ -33,14 +33,14 @@ int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name) return (X509_NAME_set(&x->crl.issuer, name)); } -int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) +int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) { if (x == NULL) return 0; return x509_set1_time(&x->crl.lastUpdate, tm); } -int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) +int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) { if (x == NULL) return 0; @@ -80,16 +80,28 @@ long X509_CRL_get_version(const X509_CRL *crl) return ASN1_INTEGER_get(crl->crl.version); } -ASN1_TIME *X509_CRL_get_lastUpdate(const X509_CRL *crl) +const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl) { return crl->crl.lastUpdate; } -ASN1_TIME *X509_CRL_get_nextUpdate(const X509_CRL *crl) +const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl) { return crl->crl.nextUpdate; } +#if OPENSSL_API_COMPAT < 0x10100000L +ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl) +{ + return crl->crl.lastUpdate; +} + +ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl) +{ + return crl->crl.nextUpdate; +} +#endif + X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl) { return crl->crl.issuer; diff --git a/doc/crypto/X509_get_notBefore.pod b/doc/crypto/X509_get_notBefore.pod index ebbd156444..5fdc83404f 100644 --- a/doc/crypto/X509_get_notBefore.pod +++ b/doc/crypto/X509_get_notBefore.pod @@ -2,60 +2,67 @@ =head1 NAME -X509_get_notBefore, X509_get_notAfter, X509_set_notBefore, -X509_set_notAfter, X509_CRL_get_lastUpdate, X509_CRL_get_nextUpdate, -X509_CRL_set_lastUpdate, X509_CRL_set_nextUpdate - get or set certificate -or CRL dates +X509_get0_notBefore, X509_get_notBefore, X509_get0_notAfter, X509_get_notAfter, +X509_set1_notBefore, X509_set1_notAfter, X509_CRL_get0_lastUpdate, +X509_CRL_get0_nextUpdate, X509_CRL_set1_lastUpdate, +X509_CRL_set1_nextUpdate - get or set certificate or CRL dates =head1 SYNOPSIS #include + const ASN1_TIME *X509_get0_notBefore(const X509 *x); + const ASN1_TIME *X509_get0_notAfter(const X509 *x); + ASN1_TIME *X509_get_notBefore(const X509 *x); ASN1_TIME *X509_get_notAfter(const X509 *x); - int X509_set_notBefore(X509 *x, const ASN1_TIME *tm); - int X509_set_notAfter(X509 *x, const ASN1_TIME *tm); + int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm); + int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm); - ASN1_TIME *X509_CRL_get_lastUpdate(const X509_CRL *crl); - ASN1_TIME *X509_CRL_get_nextUpdate(const X509_CRL *crl); + const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); + const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); - int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); - int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); + int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); + int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); =head1 DESCRIPTION -X509_get_notBefore() and X509_get_notAfter() return the B +X509_get0_notBefore() and X509_get0_notAfter() return the B and B fields of certificate B respectively. The value returned is an internal pointer which must not be freed up after the call. -X509_set_notBefore() and X509_set_notAfter() set the B +X509_get_notBefore() and X509_get_notAfter() are similar to +X509_get0_notBefore() and X509_get0_notAfter() except they do not +return constant values. They are deprecated in OpenSSL 1.1.0 + +X509_set1_notBefore() and X509_set1_notAfter() set the B and B fields of B to B. Ownership of the passed parameter B is not transferred by these functions so it must be freed up after the call. -X509_CRL_get_lastUpdate() and X509_CRL_get_nextUpdate() return the +X509_CRL_get0_lastUpdate() and X509_CRL_get0_nextUpdate() return the B and B fields of B. The value returned is an internal pointer which must not be freed up after the call. If the B field is absent from B then B is returned. -X509_CRL_set_lastUpdate() and X509_CRL_set_nextUpdate() set the B +X509_CRL_set1_lastUpdate() and X509_CRL_set1_nextUpdate() set the B and B fields of B to B. Ownership of the passed parameter B is not transferred by these functions so it must be freed up after the call. =head1 RETURN VALUES -X509_get_notBefore(), X509_get_notAfter() and X509_CRL_get_lastUpdate() +X509_get0_notBefore(), X509_get0_notAfter() and X509_CRL_get0_lastUpdate() return a pointer to an B structure. -X509_CRL_get_lastUpdate() return a pointer to an B structure +X509_CRL_get0_lastUpdate() return a pointer to an B structure or NULL if the B field is absent. -X509_set_notBefore(), X509_set_notAfter(), X509_CRL_set_lastUpdate() and -X509_CRL_set_nextUpdate() return 1 for success or 0 for failure. +X509_set1_notBefore(), X509_set1_notAfter(), X509_CRL_set1_lastUpdate() and +X509_CRL_set1_nextUpdate() return 1 for success or 0 for failure. =head1 SEE ALSO @@ -80,6 +87,9 @@ L These functions are available in all versions of OpenSSL. +X509_get_notBefore() and X509_get_notAfter() were deprecated in OpenSSL +1.1.0 + =head1 COPYRIGHT Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/x509.h b/include/openssl/x509.h index fe7fd78787..8aa968dbc5 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -622,13 +622,22 @@ int X509_set_issuer_name(X509 *x, X509_NAME *name); X509_NAME *X509_get_issuer_name(const X509 *a); int X509_set_subject_name(X509 *x, X509_NAME *name); X509_NAME *X509_get_subject_name(const X509 *a); -ASN1_TIME * X509_get_notBefore(const X509 *x); -int X509_set_notBefore(X509 *x, const ASN1_TIME *tm); -ASN1_TIME *X509_get_notAfter(const X509 *x); -int X509_set_notAfter(X509 *x, const ASN1_TIME *tm); +const ASN1_TIME * X509_get0_notBefore(const X509 *x); +DEPRECATEDIN_1_1_0(ASN1_TIME *X509_get_notBefore(const X509 *x)) +int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm); +const ASN1_TIME *X509_get0_notAfter(const X509 *x); +DEPRECATEDIN_1_1_0(ASN1_TIME *X509_get_notAfter(const X509 *x)) +int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm); int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); int X509_up_ref(X509 *x); int X509_get_signature_type(const X509 *x); + +# if OPENSSL_API_COMPAT < 0x10100000L +# define X509_set_notBefore X509_set1_notBefore +# define X509_set_notAfter X509_set1_notAfter +#endif + + /* * This one is only used so that a binary form can output, as in * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf) @@ -682,14 +691,21 @@ int X509_REQ_add1_attr_by_txt(X509_REQ *req, int X509_CRL_set_version(X509_CRL *x, long version); int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name); -int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); -int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); +int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); +int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); int X509_CRL_sort(X509_CRL *crl); int X509_CRL_up_ref(X509_CRL *crl); +# if OPENSSL_API_COMPAT < 0x10100000L +# define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate +# define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate +#endif + long X509_CRL_get_version(const X509_CRL *crl); -ASN1_TIME *X509_CRL_get_lastUpdate(const X509_CRL *crl); -ASN1_TIME *X509_CRL_get_nextUpdate(const X509_CRL *crl); +const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); +const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); +DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl)) +DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl)) X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);