[thirdparty/openssl.git] / doc / crypto / X509_STORE_CTX_new.pod

=pod

=head1 NAME

X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free,
X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack, X509_STORE_CTX_set_cert,
X509_STORE_CTX_set0_crls,
X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain,
X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param,
X509_STORE_CTX_get0_cert,
X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted,
X509_STORE_CTX_get_num_untrusted,
X509_STORE_CTX_set_default,
X509_STORE_CTX_get_verify_cb,
X509_STORE_CTX_set_verify,
X509_STORE_CTX_get_verify - X509_STORE_CTX initialisation

=head1 SYNOPSIS

 #include <openssl/x509_vfy.h>

 X509_STORE_CTX *X509_STORE_CTX_new(void);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);

 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
			 X509 *x509, STACK_OF(X509) *chain);

 void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);

 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx,X509 *x);
 STACK_OF(X509) *X509_STORE_CTX_get0_chain(X609_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *chain);
 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);

 X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);

 X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx);
 STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);

 int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);

 typedef int (*X509_STORE_CTX_verify)(X509_STORE_CTX *);
 X509_STORE_CTX_verify X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify verify);


=head1 DESCRIPTION

These functions initialise an B<X509_STORE_CTX> structure for subsequent use
by X509_verify_cert().

X509_STORE_CTX_new() returns a newly initialised B<X509_STORE_CTX> structure.

X509_STORE_CTX_cleanup() internally cleans up an B<X509_STORE_CTX> structure.
The context can then be reused with an new call to X509_STORE_CTX_init().

X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
is no longer valid.
If B<ctx> is NULL nothing is done.

X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
good for one call to X509_verify_cert(); if you want to verify a second
certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
and then X509_STORE_CTX_init() again before the second call to
X509_verify_cert(). The trusted certificate store is set to B<store>, the end
entity certificate to be verified is set to B<x509> and a set of additional
certificates (which will be untrusted but may be used to build the chain) in
B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
B<NULL>.

X509_STORE_CTX_set0_trusted_stack() sets the set of trusted certificates of
B<ctx> to B<sk>. This is an alternative way of specifying trusted certificates
instead of using an B<X509_STORE>.

X509_STORE_CTX_set_cert() sets the certificate to be verified in B<ctx> to
B<x>.

X509_STORE_CTX_set0_verified_chain() sets the validated chain used
by B<ctx> to be B<chain>.
Ownership of the chain is transferred to B<ctx> and should not be
free'd by the caller.
X509_STORE_CTX_get0_chain() returns a the internal pointer used by the
B<ctx> that contains the validated chain.

X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate
verification to B<sk>. These CRLs will only be used if CRL verification is
enabled in the associated B<X509_VERIFY_PARAM> structure. This might be
used where additional "useful" CRLs are supplied as part of a protocol,
for example in a PKCS#7 structure.

X509_STORE_CTX_get0_param() retrieves an internal pointer
to the verification parameters associated with B<ctx>.

X509_STORE_CTX_get0_cert() retrieves an internal pointer to the
certificate being verified by the B<ctx>.

X509_STORE_CTX_get0_untrusted() retrieves an internal pointer to the
stack of untrusted certifieds associated with B<ctx>.

X509_STORE_CTX_set0_untrusted() sets the internal point to the stack
of unstrusted certificates associated with B<ctx> to B<sk>.

X509_STORE_CTX_set0_param() sets the internal verification parameter pointer
to B<param>. After this call B<param> should not be used.

X509_STORE_CTX_set_default() looks up and sets the default verification
method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to
find an appropriate set of parameters from B<name>.

X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
that were used in building the chain following a call to X509_verify_cert().

=head1 NOTES

The certificates and CRLs in a store are used internally and should B<not>
be freed up until after the associated B<X509_STORE_CTX> is freed.

=head1 BUGS

The certificates and CRLs in a context are used internally and should B<not>
be freed up until after the associated B<X509_STORE_CTX> is freed. Copies
should be made or reference counts increased instead.

=head1 RETURN VALUES

X509_STORE_CTX_new() returns an newly allocates context or B<NULL> is an
error occurred.

X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred.

X509_STORE_CTX_get0_param() returns a pointer to an B<X509_VERIFY_PARAM>
structure or B<NULL> if an error occurred.

X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(),
X509_STORE_CTX_set0_trusted_stack(),
X509_STORE_CTX_set_cert(),
X509_STORE_CTX_set0_crls() and X509_STORE_CTX_set0_param() do not return
values.

X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.

X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
used.

=head1 SEE ALSO

L<X509_verify_cert(3)>
L<X509_VERIFY_PARAM_set_flags(3)>

=head1 HISTORY

X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0
X509_STORE_CTX_get_num_untrusted() was first added to OpenSSL 1.1.0

=cut
Commit	Line	Data
db576632 DSH	1	=pod
	2
	3	=head1 NAME
	4
f0e0fd51 RS	5	X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free,
	6	X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack, X509_STORE_CTX_set_cert,
	7	X509_STORE_CTX_set0_crls,
	8	X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain,
	9	X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param,
	10	X509_STORE_CTX_get0_cert,
4dba585f	11	X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted,
f0e0fd51 RS	12	X509_STORE_CTX_get_num_untrusted,
	13	X509_STORE_CTX_set_default,
	14	X509_STORE_CTX_get_verify_cb,
	15	X509_STORE_CTX_set_verify,
	16	X509_STORE_CTX_get_verify - X509_STORE_CTX initialisation
db576632 DSH	17
	18	=head1 SYNOPSIS
	19
	20	#include <openssl/x509_vfy.h>
	21
	22	X509_STORE_CTX *X509_STORE_CTX_new(void);
	23	void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
	24	void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
	25
	26	int X509_STORE_CTX_init(X509_STORE_CTX ctx, X509_STORE store,
	27	X509 x509, STACK_OF(X509) chain);
	28
f0e0fd51	29	void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX ctx, STACK_OF(X509) sk);
db576632	30
f0e0fd51 RS	31	void X509_STORE_CTX_set_cert(X509_STORE_CTX ctx,X509 x);
	32	STACK_OF(X509) X509_STORE_CTX_get0_chain(X609_STORE_CTX ctx);
	33	void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX ctx, STACK_OF(X509) chain);
	34	void X509_STORE_CTX_set0_crls(X509_STORE_CTX ctx, STACK_OF(X509_CRL) sk);
db576632 DSH	35
	36	X509_VERIFY_PARAM X509_STORE_CTX_get0_param(X509_STORE_CTX ctx);
	37	void X509_STORE_CTX_set0_param(X509_STORE_CTX ctx, X509_VERIFY_PARAM param);
	38	int X509_STORE_CTX_set_default(X509_STORE_CTX ctx, const char name);
	39
f0e0fd51 RS	40	X509 X509_STORE_CTX_get0_cert(X509_STORE_CTX ctx);
f0e0fd51 RS	41	STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx);
4dba585f	42	void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX ctx, STACK_OF(X509) sk);
f0e0fd51	43
7f3f41d8 MC	44	int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
7f3f41d8 MC	45
f0e0fd51 RS	46	typedef int (X509_STORE_CTX_verify)(X509_STORE_CTX );
	47	X509_STORE_CTX_verify X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx);
	48	void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify verify);
	49
	50
db576632 DSH	51	=head1 DESCRIPTION
	52
	53	These functions initialise an B<X509_STORE_CTX> structure for subsequent use
	54	by X509_verify_cert().
	55
	56	X509_STORE_CTX_new() returns a newly initialised B<X509_STORE_CTX> structure.
	57
	58	X509_STORE_CTX_cleanup() internally cleans up an B<X509_STORE_CTX> structure.
	59	The context can then be reused with an new call to X509_STORE_CTX_init().
	60
	61	X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
	62	is no longer valid.
222561fe	63	If B<ctx> is NULL nothing is done.
db576632 DSH	64
db576632 DSH	65	X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
aae41f8c MC	66	It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
	67	good for one call to X509_verify_cert(); if you want to verify a second
	68	certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
	69	and then X509_STORE_CTX_init() again before the second call to
	70	X509_verify_cert(). The trusted certificate store is set to B<store>, the end
	71	entity certificate to be verified is set to B<x509> and a set of additional
	72	certificates (which will be untrusted but may be used to build the chain) in
	73	B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
	74	B<NULL>.
db576632	75
f0e0fd51 RS	76	X509_STORE_CTX_set0_trusted_stack() sets the set of trusted certificates of
f0e0fd51 RS	77	B<ctx> to B<sk>. This is an alternative way of specifying trusted certificates
db576632 DSH	78	instead of using an B<X509_STORE>.
db576632 DSH	79
186bb907	80	X509_STORE_CTX_set_cert() sets the certificate to be verified in B<ctx> to
db576632 DSH	81	B<x>.
db576632 DSH	82
f0e0fd51 RS	83	X509_STORE_CTX_set0_verified_chain() sets the validated chain used
	84	by B<ctx> to be B<chain>.
	85	Ownership of the chain is transferred to B<ctx> and should not be
	86	free'd by the caller.
	87	X509_STORE_CTX_get0_chain() returns a the internal pointer used by the
	88	B<ctx> that contains the validated chain.
db576632 DSH	89
	90	X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate
	91	verification to B<sk>. These CRLs will only be used if CRL verification is
	92	enabled in the associated B<X509_VERIFY_PARAM> structure. This might be
	93	used where additional "useful" CRLs are supplied as part of a protocol,
	94	for example in a PKCS#7 structure.
	95
f0e0fd51	96	X509_STORE_CTX_get0_param() retrieves an internal pointer
db576632 DSH	97	to the verification parameters associated with B<ctx>.
db576632 DSH	98
f0e0fd51 RS	99	X509_STORE_CTX_get0_cert() retrieves an internal pointer to the
	100	certificate being verified by the B<ctx>.
	101
	102	X509_STORE_CTX_get0_untrusted() retrieves an internal pointer to the
	103	stack of untrusted certifieds associated with B<ctx>.
	104
4dba585f DSH	105	X509_STORE_CTX_set0_untrusted() sets the internal point to the stack
	106	of unstrusted certificates associated with B<ctx> to B<sk>.
	107
186bb907	108	X509_STORE_CTX_set0_param() sets the internal verification parameter pointer
db576632 DSH	109	to B<param>. After this call B<param> should not be used.
	110
	111	X509_STORE_CTX_set_default() looks up and sets the default verification
	112	method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to
	113	find an appropriate set of parameters from B<name>.
	114
7f3f41d8 MC	115	X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
	116	that were used in building the chain following a call to X509_verify_cert().
	117
db576632 DSH	118	=head1 NOTES
	119
	120	The certificates and CRLs in a store are used internally and should B<not>
f0e0fd51	121	be freed up until after the associated B<X509_STORE_CTX> is freed.
db576632 DSH	122
	123	=head1 BUGS
	124
	125	The certificates and CRLs in a context are used internally and should B<not>
	126	be freed up until after the associated B<X509_STORE_CTX> is freed. Copies
	127	should be made or reference counts increased instead.
	128
	129	=head1 RETURN VALUES
	130
	131	X509_STORE_CTX_new() returns an newly allocates context or B<NULL> is an
	132	error occurred.
	133
	134	X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred.
	135
	136	X509_STORE_CTX_get0_param() returns a pointer to an B<X509_VERIFY_PARAM>
	137	structure or B<NULL> if an error occurred.
	138
f0e0fd51 RS	139	X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(),
	140	X509_STORE_CTX_set0_trusted_stack(),
	141	X509_STORE_CTX_set_cert(),
db576632 DSH	142	X509_STORE_CTX_set0_crls() and X509_STORE_CTX_set0_param() do not return
	143	values.
	144
	145	X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.
	146
7f3f41d8 MC	147	X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
	148	used.
	149
db576632 DSH	150	=head1 SEE ALSO
db576632 DSH	151
9b86974e RS	152	L<X509_verify_cert(3)>
9b86974e RS	153	L<X509_VERIFY_PARAM_set_flags(3)>
db576632 DSH	154
	155	=head1 HISTORY
	156
	157	X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0
7f3f41d8	158	X509_STORE_CTX_get_num_untrusted() was first added to OpenSSL 1.1.0
db576632 DSH	159
db576632 DSH	160	=cut