]>
Commit | Line | Data |
---|---|---|
4cec750c DDO |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
6725682d | 5 | X509_verify, X509_self_signed, |
d8652be0 | 6 | X509_REQ_verify_ex, X509_REQ_verify, |
b97fb22f | 7 | X509_CRL_verify, X509_ACERT_verify - |
4cec750c DDO |
8 | verify certificate, certificate request, or CRL signature |
9 | ||
10 | =head1 SYNOPSIS | |
11 | ||
12 | #include <openssl/x509.h> | |
13 | ||
4cec750c | 14 | int X509_verify(X509 *x, EVP_PKEY *pkey); |
0d8dbb52 | 15 | int X509_self_signed(X509 *cert, int verify_signature); |
4cec750c | 16 | |
b4250010 | 17 | int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx, |
d8652be0 | 18 | const char *propq); |
4cec750c DDO |
19 | int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r); |
20 | int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r); | |
21 | ||
b97fb22f DHG |
22 | #include <openssl/x509_acert.h> |
23 | int X509_ACERT_verify(X509_CRL *a, EVP_PKEY *r); | |
24 | ||
4cec750c DDO |
25 | =head1 DESCRIPTION |
26 | ||
6725682d SL |
27 | X509_verify() verifies the signature of certificate I<x> using public key |
28 | I<pkey>. Only the signature is checked: no other checks (such as certificate | |
29 | chain validity) are performed. | |
4cec750c | 30 | |
54c0480d | 31 | X509_self_signed() checks whether certificate I<cert> is self-signed. |
0d8dbb52 DDO |
32 | For success the issuer and subject names must match, the components of the |
33 | authority key identifier (if present) must match the subject key identifier etc. | |
34 | The signature itself is actually verified only if B<verify_signature> is 1, as | |
35 | for explicitly trusted certificates this verification is not worth the effort. | |
36 | ||
b97fb22f DHG |
37 | X509_REQ_verify_ex(), X509_REQ_verify(), X509_CRL_verify() and X509_ACERT_verify() |
38 | verify the signatures of certificate requests, CRLs and attribute certificates | |
39 | respectively. | |
4cec750c DDO |
40 | |
41 | =head1 RETURN VALUES | |
42 | ||
6725682d | 43 | X509_verify(), |
d8652be0 | 44 | X509_REQ_verify_ex(), X509_REQ_verify() and X509_CRL_verify() |
4cec750c | 45 | return 1 if the signature is valid and 0 if the signature check fails. |
54c0480d TM |
46 | If the signature could not be checked at all because it was ill-formed, |
47 | the certificate or the request was not complete or some other error occurred | |
48 | then -1 is returned. | |
4cec750c | 49 | |
0d8dbb52 DDO |
50 | X509_self_signed() returns the same values but also returns 1 |
51 | if all respective fields match and B<verify_signature> is 0. | |
52 | ||
4cec750c DDO |
53 | =head1 SEE ALSO |
54 | ||
55 | L<d2i_X509(3)>, | |
56 | L<ERR_get_error(3)>, | |
57 | L<X509_CRL_get0_by_serial(3)>, | |
58 | L<X509_get0_signature(3)>, | |
59 | L<X509_get_ext_d2i(3)>, | |
60 | L<X509_get_extension_flags(3)>, | |
61 | L<X509_get_pubkey(3)>, | |
62 | L<X509_get_subject_name(3)>, | |
63 | L<X509_get_version(3)>, | |
64 | L<X509_NAME_ENTRY_get_object(3)>, | |
65 | L<X509_NAME_get_index_by_NID(3)>, | |
66 | L<X509_NAME_print_ex(3)>, | |
67 | L<X509V3_get_d2i(3)>, | |
68 | L<X509_verify_cert(3)>, | |
b4250010 | 69 | L<OSSL_LIB_CTX(3)> |
4cec750c DDO |
70 | |
71 | =head1 HISTORY | |
72 | ||
73 | The X509_verify(), X509_REQ_verify(), and X509_CRL_verify() | |
74 | functions are available in all versions of OpenSSL. | |
75 | ||
d8652be0 | 76 | X509_REQ_verify_ex(), and X509_self_signed() were added in OpenSSL 3.0. |
4cec750c | 77 | |
b97fb22f DHG |
78 | X509_ACERT_verify() was added in OpenSSL 3.4. |
79 | ||
4cec750c DDO |
80 | =head1 COPYRIGHT |
81 | ||
3c95ef22 | 82 | Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. |
4cec750c DDO |
83 | |
84 | Licensed under the Apache License 2.0 (the "License"). You may not use | |
85 | this file except in compliance with the License. You can obtain a copy | |
86 | in the file LICENSE in the source distribution or at | |
87 | L<https://www.openssl.org/source/license.html>. | |
88 | ||
89 | =cut |