projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| eeb15452 DSH |
1 | =pod |
| 2 | ||
| 3 | =head1 NAME | |
| 4 | ||
| 5 | SSL_CTX_set0_chain, SSL_CTX_set1_chain, SSL_CTX_add0_chain_cert, | |
| 7b6b246f RS |
6 | SSL_CTX_add1_chain_cert, SSL_CTX_get0_chain_certs, SSL_CTX_clear_chain_certs, |
| 7 | SSL_set0_chain, SSL_set1_chain, SSL_add0_chain_cert, SSL_add1_chain_cert, | |
| 8 | SSL_get0_chain_certs, SSL_clear_chain_certs, SSL_CTX_build_cert_chain, | |
| 9 | SSL_build_cert_chain, SSL_CTX_select_current_cert, | |
| 0f78819c DSH |
10 | SSL_select_current_cert, SSL_CTX_set_current_cert, SSL_set_current_cert - extra |
| 11 | chain certificate processing | |
| eeb15452 DSH |
12 | |
| 13 | =head1 SYNOPSIS | |
| 14 | ||
| 15 | #include <openssl/ssl.h> | |
| 16 | ||
| 17 | int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); | |
| 18 | int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); | |
| 7b6b246f | 19 | int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509); |
| eeb15452 | 20 | int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509); |
| 7b6b246f RS |
21 | int SSL_CTX_get0_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **sk); |
| 22 | int SSL_CTX_clear_chain_certs(SSL_CTX *ctx); | |
| eeb15452 DSH |
23 | |
| 24 | int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *sk); | |
| 25 | int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *sk); | |
| 7b6b246f | 26 | int SSL_add0_chain_cert(SSL *ssl, X509 *x509); |
| eeb15452 | 27 | int SSL_add1_chain_cert(SSL *ssl, X509 *x509); |
| 7b6b246f RS |
28 | int SSL_get0_chain_certs(SSL *ssl, STACK_OF(X509) **sk); |
| 29 | int SSL_clear_chain_certs(SSL *ssl); | |
| eeb15452 DSH |
30 | |
| 31 | int SSL_CTX_build_cert_chain(SSL_CTX *ctx, flags); | |
| 7b6b246f RS |
32 | int SSL_build_cert_chain(SSL *ssl, flags); |
| 33 | ||
| 34 | int SSL_CTX_select_current_cert(SSL_CTX *ctx, X509 *x509); | |
| 35 | int SSL_select_current_cert(SSL *ssl, X509 *x509); | |
| 0f78819c DSH |
36 | int SSL_CTX_set_current_cert(SSL_CTX *ctx, long op); |
| 37 | int SSL_set_current_cert(SSL *ssl, long op); | |
| eeb15452 DSH |
38 | |
| 39 | =head1 DESCRIPTION | |
| 40 | ||
| 41 | SSL_CTX_set0_chain() and SSL_CTX_set1_chain() set the certificate chain | |
| 7b6b246f | 42 | associated with the current certificate of B<ctx> to B<sk>. |
| eeb15452 DSH |
43 | |
| 44 | SSL_CTX_add0_chain_cert() and SSL_CTX_add1_chain_cert() append the single | |
| 45 | certificate B<x509> to the chain associated with the current certificate of | |
| 46 | B<ctx>. | |
| 47 | ||
| 7b6b246f RS |
48 | SSL_CTX_get0_chain_certs() retrieves the chain associated with the current |
| 49 | certificate of B<ctx>. | |
| 50 | ||
| 51 | SSL_CTX_clear_chain_certs() clears any existing chain associated with the | |
| 52 | current certificate of B<ctx>. (This is implemented by calling | |
| 53 | SSL_CTX_set0_chain() with B<sk> set to B<NULL>). | |
| 54 | ||
| 13dc3ce9 DSH |
55 | SSL_CTX_build_cert_chain() builds the certificate chain for B<ctx> normally |
| 56 | this uses the chain store or the verify store if the chain store is not set. | |
| eeb15452 | 57 | If the function is successful the built chain will replace any existing chain. |
| 13dc3ce9 DSH |
58 | The B<flags> parameter can be set to B<SSL_BUILD_CHAIN_FLAG_UNTRUSTED> to use |
| 59 | existing chain certificates as untrusted CAs, B<SSL_BUILD_CHAIN_FLAG_NO_ROOT> | |
| 60 | to omit the root CA from the built chain, B<SSL_BUILD_CHAIN_FLAG_CHECK> to | |
| 61 | use all existing chain certificates only to build the chain (effectively | |
| 62 | sanity checking and rearranging them if necessary), the flag | |
| 63 | B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> ignores any errors during verification. | |
| eeb15452 | 64 | |
| 7b6b246f RS |
65 | Each of these functions operates on the I<current> end entity |
| 66 | (i.e. server or client) certificate. This is the last certificate loaded or | |
| 67 | selected on the corresponding B<ctx> structure. | |
| 68 | ||
| 69 | SSL_CTX_select_current_cert() selects B<x509> as the current end entity | |
| 70 | certificate, but only if B<x509> has already been loaded into B<ctx> using a | |
| 71 | function such as SSL_CTX_use_certificate(). | |
| 72 | ||
| 73 | SSL_set0_chain(), SSL_set1_chain(), SSL_add0_chain_cert(), | |
| 74 | SSL_add1_chain_cert(), SSL_get0_chain_certs(), SSL_clear_chain_certs(), | |
| 0f78819c DSH |
75 | SSL_build_cert_chain(), SSL_select_current_cert() and SSL_set_current_cert() |
| 76 | are similar except they apply to SSL structure B<ssl>. | |
| 77 | ||
| 78 | SSL_CTX_set_current_cert() changes the current certificate to a value based | |
| 79 | on the B<op> argument. Currently B<op> can be B<SSL_CERT_SET_FIRST> to use | |
| 80 | the first valid certificate or B<SSL_CERT_SET_NEXT> to set the next valid | |
| 81 | certificate after the current certificate. These two operations can be | |
| 82 | used to iterate over all certificates in an B<SSL_CTX> structure. | |
| eeb15452 | 83 | |
| daddd9a9 DSH |
84 | SSL_set_current_cert() also supports the option B<SSL_CERT_SET_SERVER>. |
| 85 | If B<ssl> is a server and has sent a certificate to a connected client | |
| 86 | this option sets that certificate to the current certificate and returns 1. | |
| 87 | If the negotiated ciphersuite is anonymous (and thus no certificate will | |
| 88 | be sent) 2 is returned and the current certificate is unchanged. If B<ssl> | |
| 89 | is not a server or a certificate has not been sent 0 is returned and | |
| 90 | the current certificate is unchanged. | |
| 91 | ||
| eeb15452 DSH |
92 | All these functions are implemented as macros. Those containing a B<1> |
| 93 | increment the reference count of the supplied certificate or chain so it must | |
| 94 | be freed at some point after the operation. Those containing a B<0> do | |
| 95 | not increment reference counts and the supplied certificate or chain | |
| 96 | B<MUST NOT> be freed after the operation. | |
| 97 | ||
| 98 | =head1 NOTES | |
| 99 | ||
| 100 | The chains associate with an SSL_CTX structure are copied to any SSL | |
| 101 | structures when SSL_new() is called. SSL structures will not be affected | |
| 102 | by any chains subsequently changed in the parent SSL_CTX. | |
| 103 | ||
| eeb15452 DSH |
104 | One chain can be set for each key type supported by a server. So, for example, |
| 105 | an RSA and a DSA certificate can (and often will) have different chains. | |
| 106 | ||
| 107 | The functions SSL_CTX_build_cert_chain() and SSL_build_cert_chain() can | |
| 108 | be used to check application configuration and to ensure any necessary | |
| 109 | subordinate CAs are sent in the correct order. Misconfigured applications | |
| 110 | sending incorrect certificate chains often cause problems with peers. | |
| 111 | ||
| 13dc3ce9 DSH |
112 | For example an application can add any set of certificates using |
| 113 | SSL_CTX_use_certificate_chain_file() then call SSL_CTX_build_cert_chain() | |
| 114 | with the option B<SSL_BUILD_CHAIN_FLAG_CHECK> to check and reorder them. | |
| 115 | ||
| eeb15452 DSH |
116 | Calling SSL_CTX_build_cert_chain() or SSL_build_cert_chain() is more |
| 117 | efficient than the automatic chain building as it is only performed once. | |
| 118 | Automatic chain building is performed on each new session. | |
| 119 | ||
| 120 | If any certificates are added using these functions no certificates added | |
| 121 | using SSL_CTX_add_extra_chain_cert() will be used. | |
| 122 | ||
| 123 | =head1 RETURN VALUES | |
| 124 | ||
| 13dc3ce9 DSH |
125 | SSL_set_current_cert() with B<SSL_CERT_SET_SERVER> return 1 for success, 2 if |
| 126 | no server certificate is used because the ciphersuites is anonymous and 0 | |
| 127 | for failure. | |
| 128 | ||
| 129 | All other functions return 1 for success and 0 for failure. | |
| eeb15452 | 130 | |
| eeb15452 DSH |
131 | =head1 SEE ALSO |
| 132 | ||
| 133 | L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)> | |
| 134 | ||
| 135 | =head1 HISTORY | |
| 136 | ||
| 137 | These functions were first added to OpenSSL 1.0.2. | |
| 138 | ||
| 139 | =cut |