]>
Commit | Line | Data |
---|---|---|
db576632 DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
cc45a884 MC |
5 | X509_STORE_CTX_new_with_libctx, X509_STORE_CTX_new, X509_STORE_CTX_cleanup, |
6 | X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack, | |
7 | X509_STORE_CTX_set_cert, X509_STORE_CTX_set0_crls, | |
f0e0fd51 RS |
8 | X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain, |
9 | X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, | |
4dba585f | 10 | X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted, |
f0e0fd51 RS |
11 | X509_STORE_CTX_get_num_untrusted, |
12 | X509_STORE_CTX_set_default, | |
121677b4 RS |
13 | X509_STORE_CTX_set_verify, |
14 | X509_STORE_CTX_verify_fn | |
99d63d46 | 15 | - X509_STORE_CTX initialisation |
db576632 DSH |
16 | |
17 | =head1 SYNOPSIS | |
18 | ||
19 | #include <openssl/x509_vfy.h> | |
20 | ||
cc45a884 MC |
21 | X509_STORE_CTX *X509_STORE_CTX_new_with_libctx(OPENSSL_CTX *libctx, |
22 | const char *propq); | |
db576632 DSH |
23 | X509_STORE_CTX *X509_STORE_CTX_new(void); |
24 | void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); | |
25 | void X509_STORE_CTX_free(X509_STORE_CTX *ctx); | |
26 | ||
27 | int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, | |
1bc74519 | 28 | X509 *x509, STACK_OF(X509) *chain); |
db576632 | 29 | |
f0e0fd51 | 30 | void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); |
db576632 | 31 | |
aebb9aac | 32 | void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x); |
8cc86b81 | 33 | STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx); |
f0e0fd51 RS |
34 | void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *chain); |
35 | void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk); | |
db576632 | 36 | |
8cc86b81 | 37 | X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(const X509_STORE_CTX *ctx); |
db576632 DSH |
38 | void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param); |
39 | int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name); | |
40 | ||
8cc86b81 | 41 | STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx); |
4dba585f | 42 | void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); |
f0e0fd51 | 43 | |
8cc86b81 | 44 | int X509_STORE_CTX_get_num_untrusted(const X509_STORE_CTX *ctx); |
7f3f41d8 | 45 | |
4a7b3a7b | 46 | typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); |
4a7b3a7b | 47 | void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify); |
f0e0fd51 | 48 | |
db576632 DSH |
49 | =head1 DESCRIPTION |
50 | ||
51 | These functions initialise an B<X509_STORE_CTX> structure for subsequent use | |
52 | by X509_verify_cert(). | |
53 | ||
cc45a884 MC |
54 | X509_STORE_CTX_new_with_libctx() returns a newly initialised B<X509_STORE_CTX> |
55 | structure associated with the specified library context I<libctx> and property | |
56 | query string I<propq>. Any cryptographic algorithms fetched while performing | |
57 | processing with the X509_STORE_CTX will use that library context and property | |
58 | query string. | |
59 | ||
60 | X509_STORE_CTX_new() is the same as X509_STORE_CTX_new_with_libctx() except that | |
61 | the default library context and a NULL property query string are used. | |
db576632 DSH |
62 | |
63 | X509_STORE_CTX_cleanup() internally cleans up an B<X509_STORE_CTX> structure. | |
64 | The context can then be reused with an new call to X509_STORE_CTX_init(). | |
65 | ||
cc45a884 | 66 | X509_STORE_CTX_free() completely frees up I<ctx>. After this call I<ctx> |
db576632 | 67 | is no longer valid. |
cc45a884 | 68 | If I<ctx> is NULL nothing is done. |
db576632 | 69 | |
cc45a884 MC |
70 | X509_STORE_CTX_init() sets up I<ctx> for a subsequent verification operation. |
71 | It must be called before each call to X509_verify_cert(), i.e. a I<ctx> is only | |
aae41f8c | 72 | good for one call to X509_verify_cert(); if you want to verify a second |
cc45a884 | 73 | certificate with the same I<ctx> then you must call X509_STORE_CTX_cleanup() |
aae41f8c | 74 | and then X509_STORE_CTX_init() again before the second call to |
cc45a884 MC |
75 | X509_verify_cert(). The trusted certificate store is set to I<store>, the end |
76 | entity certificate to be verified is set to I<x509> and a set of additional | |
aae41f8c | 77 | certificates (which will be untrusted but may be used to build the chain) in |
cc45a884 | 78 | I<chain>. Any or all of the I<store>, I<x509> and I<chain> parameters can be |
aae41f8c | 79 | B<NULL>. |
db576632 | 80 | |
f0e0fd51 | 81 | X509_STORE_CTX_set0_trusted_stack() sets the set of trusted certificates of |
cc45a884 | 82 | I<ctx> to I<sk>. This is an alternative way of specifying trusted certificates |
db576632 DSH |
83 | instead of using an B<X509_STORE>. |
84 | ||
cc45a884 MC |
85 | X509_STORE_CTX_set_cert() sets the certificate to be verified in I<ctx> to |
86 | I<x>. | |
db576632 | 87 | |
f0e0fd51 | 88 | X509_STORE_CTX_set0_verified_chain() sets the validated chain used |
cc45a884 MC |
89 | by I<ctx> to be I<chain>. |
90 | Ownership of the chain is transferred to I<ctx> and should not be | |
f0e0fd51 RS |
91 | free'd by the caller. |
92 | X509_STORE_CTX_get0_chain() returns a the internal pointer used by the | |
cc45a884 | 93 | I<ctx> that contains the validated chain. |
db576632 DSH |
94 | |
95 | X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate | |
cc45a884 | 96 | verification to I<sk>. These CRLs will only be used if CRL verification is |
db576632 DSH |
97 | enabled in the associated B<X509_VERIFY_PARAM> structure. This might be |
98 | used where additional "useful" CRLs are supplied as part of a protocol, | |
99 | for example in a PKCS#7 structure. | |
100 | ||
f0e0fd51 | 101 | X509_STORE_CTX_get0_param() retrieves an internal pointer |
cc45a884 | 102 | to the verification parameters associated with I<ctx>. |
db576632 | 103 | |
f0e0fd51 | 104 | X509_STORE_CTX_get0_untrusted() retrieves an internal pointer to the |
cc45a884 | 105 | stack of untrusted certificates associated with I<ctx>. |
f0e0fd51 | 106 | |
4dba585f | 107 | X509_STORE_CTX_set0_untrusted() sets the internal point to the stack |
cc45a884 | 108 | of untrusted certificates associated with I<ctx> to I<sk>. |
4dba585f | 109 | |
186bb907 | 110 | X509_STORE_CTX_set0_param() sets the internal verification parameter pointer |
cc45a884 | 111 | to I<param>. After this call B<param> should not be used. |
db576632 DSH |
112 | |
113 | X509_STORE_CTX_set_default() looks up and sets the default verification | |
cc45a884 MC |
114 | method to I<name>. This uses the function X509_VERIFY_PARAM_lookup() to |
115 | find an appropriate set of parameters from I<name>. | |
db576632 | 116 | |
7f3f41d8 MC |
117 | X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates |
118 | that were used in building the chain following a call to X509_verify_cert(). | |
119 | ||
7cafbb4b MC |
120 | X509_STORE_CTX_set_verify() provides the capability for overriding the default |
121 | verify function. This function is responsible for verifying chain signatures and | |
99d63d46 | 122 | expiration times. |
7cafbb4b MC |
123 | |
124 | A verify function is defined as an X509_STORE_CTX_verify type which has the | |
125 | following signature: | |
126 | ||
1bc74519 | 127 | int (*verify)(X509_STORE_CTX *); |
7cafbb4b MC |
128 | |
129 | This function should receive the current X509_STORE_CTX as a parameter and | |
130 | return 1 on success or 0 on failure. | |
131 | ||
db576632 DSH |
132 | =head1 NOTES |
133 | ||
134 | The certificates and CRLs in a store are used internally and should B<not> | |
f0e0fd51 | 135 | be freed up until after the associated B<X509_STORE_CTX> is freed. |
db576632 DSH |
136 | |
137 | =head1 BUGS | |
138 | ||
139 | The certificates and CRLs in a context are used internally and should B<not> | |
140 | be freed up until after the associated B<X509_STORE_CTX> is freed. Copies | |
141 | should be made or reference counts increased instead. | |
142 | ||
143 | =head1 RETURN VALUES | |
144 | ||
145 | X509_STORE_CTX_new() returns an newly allocates context or B<NULL> is an | |
146 | error occurred. | |
147 | ||
148 | X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred. | |
149 | ||
150 | X509_STORE_CTX_get0_param() returns a pointer to an B<X509_VERIFY_PARAM> | |
151 | structure or B<NULL> if an error occurred. | |
152 | ||
f0e0fd51 RS |
153 | X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(), |
154 | X509_STORE_CTX_set0_trusted_stack(), | |
155 | X509_STORE_CTX_set_cert(), | |
db576632 DSH |
156 | X509_STORE_CTX_set0_crls() and X509_STORE_CTX_set0_param() do not return |
157 | values. | |
158 | ||
159 | X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred. | |
160 | ||
7f3f41d8 MC |
161 | X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates |
162 | used. | |
163 | ||
db576632 DSH |
164 | =head1 SEE ALSO |
165 | ||
9b86974e RS |
166 | L<X509_verify_cert(3)> |
167 | L<X509_VERIFY_PARAM_set_flags(3)> | |
db576632 DSH |
168 | |
169 | =head1 HISTORY | |
170 | ||
fc5ecadd DMSP |
171 | The X509_STORE_CTX_set0_crls() function was added in OpenSSL 1.0.0. |
172 | The X509_STORE_CTX_get_num_untrusted() function was added in OpenSSL 1.1.0. | |
cc45a884 | 173 | The X509_STORE_CTX_new_with_libctx() function was added in OpenSSL 3.0. |
db576632 | 174 | |
e2f92610 RS |
175 | =head1 COPYRIGHT |
176 | ||
33388b44 | 177 | Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 178 | |
4746f25a | 179 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
180 | this file except in compliance with the License. You can obtain a copy |
181 | in the file LICENSE in the source distribution or at | |
182 | L<https://www.openssl.org/source/license.html>. | |
183 | ||
184 | =cut |