[thirdparty/openssl.git] / doc / crypto / X509_STORE_CTX_new.pod

=pod

=head1 NAME

X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert, X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default - X509_STORE_CTX initialisation

=head1 SYNOPSIS

 #include <openssl/x509_vfy.h>

 X509_STORE_CTX *X509_STORE_CTX_new(void);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);

 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
			 X509 *x509, STACK_OF(X509) *chain);

 void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);

 void	X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx,X509 *x);
 void	X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx,STACK_OF(X509) *sk);
 void	X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);

 X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);

 int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);

=head1 DESCRIPTION

These functions initialise an B<X509_STORE_CTX> structure for subsequent use
by X509_verify_cert().

X509_STORE_CTX_new() returns a newly initialised B<X509_STORE_CTX> structure.

X509_STORE_CTX_cleanup() internally cleans up an B<X509_STORE_CTX> structure.
The context can then be reused with an new call to X509_STORE_CTX_init().

X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
is no longer valid.
If B<ctx> is NULL nothing is done.

X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
good for one call to X509_verify_cert(); if you want to verify a second
certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
and then X509_STORE_CTX_init() again before the second call to
X509_verify_cert(). The trusted certificate store is set to B<store>, the end
entity certificate to be verified is set to B<x509> and a set of additional
certificates (which will be untrusted but may be used to build the chain) in
B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
B<NULL>.

X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
to B<sk>. This is an alternative way of specifying trusted certificates 
instead of using an B<X509_STORE>.

X509_STORE_CTX_set_cert() sets the certificate to be verified in B<ctx> to
B<x>.

X509_STORE_CTX_set_chain() sets the additional certificate chain used by B<ctx>
to B<sk>.

X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate
verification to B<sk>. These CRLs will only be used if CRL verification is
enabled in the associated B<X509_VERIFY_PARAM> structure. This might be
used where additional "useful" CRLs are supplied as part of a protocol,
for example in a PKCS#7 structure.

X509_VERIFY_PARAM *X509_STORE_CTX_get0_param() retrieves an internal pointer
to the verification parameters associated with B<ctx>.

X509_STORE_CTX_set0_param() sets the internal verification parameter pointer
to B<param>. After this call B<param> should not be used.

X509_STORE_CTX_set_default() looks up and sets the default verification
method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to
find an appropriate set of parameters from B<name>.

X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
that were used in building the chain following a call to X509_verify_cert().

=head1 NOTES

The certificates and CRLs in a store are used internally and should B<not>
be freed up until after the associated B<X509_STORE_CTX> is freed. Legacy
applications might implicitly use an B<X509_STORE_CTX> like this:

  X509_STORE_CTX ctx;
  X509_STORE_CTX_init(&ctx, store, cert, chain);

this is B<not> recommended in new applications they should instead do:

  X509_STORE_CTX *ctx;
  ctx = X509_STORE_CTX_new();
  if (ctx == NULL)
	/* Bad error */
  X509_STORE_CTX_init(ctx, store, cert, chain);

=head1 BUGS

The certificates and CRLs in a context are used internally and should B<not>
be freed up until after the associated B<X509_STORE_CTX> is freed. Copies
should be made or reference counts increased instead.

=head1 RETURN VALUES

X509_STORE_CTX_new() returns an newly allocates context or B<NULL> is an
error occurred.

X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred.

X509_STORE_CTX_get0_param() returns a pointer to an B<X509_VERIFY_PARAM>
structure or B<NULL> if an error occurred.

X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(), X509_STORE_CTX_trusted_stack(),
X509_STORE_CTX_set_cert(), X509_STORE_CTX_set_chain(),
X509_STORE_CTX_set0_crls() and X509_STORE_CTX_set0_param() do not return
values.

X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.

X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
used.

=head1 SEE ALSO

L<X509_verify_cert(3)>
L<X509_VERIFY_PARAM_set_flags(3)>

=head1 HISTORY

X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0
X509_STORE_CTX_get_num_untrusted() was first added to OpenSSL 1.1.0

=cut
Commit	Line	Data
db576632 DSH	1	=pod
	2
	3	=head1 NAME
	4
	5	X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert, X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default - X509_STORE_CTX initialisation
	6
	7	=head1 SYNOPSIS
	8
	9	#include <openssl/x509_vfy.h>
	10
	11	X509_STORE_CTX *X509_STORE_CTX_new(void);
	12	void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
	13	void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
	14
	15	int X509_STORE_CTX_init(X509_STORE_CTX ctx, X509_STORE store,
	16	X509 x509, STACK_OF(X509) chain);
	17
	18	void X509_STORE_CTX_trusted_stack(X509_STORE_CTX ctx, STACK_OF(X509) sk);
	19
	20	void X509_STORE_CTX_set_cert(X509_STORE_CTX ctx,X509 x);
	21	void X509_STORE_CTX_set_chain(X509_STORE_CTX ctx,STACK_OF(X509) sk);
	22	void X509_STORE_CTX_set0_crls(X509_STORE_CTX ctx, STACK_OF(X509_CRL) sk);
	23
	24	X509_VERIFY_PARAM X509_STORE_CTX_get0_param(X509_STORE_CTX ctx);
	25	void X509_STORE_CTX_set0_param(X509_STORE_CTX ctx, X509_VERIFY_PARAM param);
	26	int X509_STORE_CTX_set_default(X509_STORE_CTX ctx, const char name);
	27
7f3f41d8 MC	28	int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
7f3f41d8 MC	29
db576632 DSH	30	=head1 DESCRIPTION
	31
	32	These functions initialise an B<X509_STORE_CTX> structure for subsequent use
	33	by X509_verify_cert().
	34
	35	X509_STORE_CTX_new() returns a newly initialised B<X509_STORE_CTX> structure.
	36
	37	X509_STORE_CTX_cleanup() internally cleans up an B<X509_STORE_CTX> structure.
	38	The context can then be reused with an new call to X509_STORE_CTX_init().
	39
	40	X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
	41	is no longer valid.
222561fe	42	If B<ctx> is NULL nothing is done.
db576632 DSH	43
db576632 DSH	44	X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
aae41f8c MC	45	It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
	46	good for one call to X509_verify_cert(); if you want to verify a second
	47	certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
	48	and then X509_STORE_CTX_init() again before the second call to
	49	X509_verify_cert(). The trusted certificate store is set to B<store>, the end
	50	entity certificate to be verified is set to B<x509> and a set of additional
	51	certificates (which will be untrusted but may be used to build the chain) in
	52	B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
	53	B<NULL>.
db576632 DSH	54
	55	X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
	56	to B<sk>. This is an alternative way of specifying trusted certificates
	57	instead of using an B<X509_STORE>.
	58
186bb907	59	X509_STORE_CTX_set_cert() sets the certificate to be verified in B<ctx> to
db576632 DSH	60	B<x>.
	61
	62	X509_STORE_CTX_set_chain() sets the additional certificate chain used by B<ctx>
	63	to B<sk>.
	64
	65	X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate
	66	verification to B<sk>. These CRLs will only be used if CRL verification is
	67	enabled in the associated B<X509_VERIFY_PARAM> structure. This might be
	68	used where additional "useful" CRLs are supplied as part of a protocol,
	69	for example in a PKCS#7 structure.
	70
186bb907	71	X509_VERIFY_PARAM *X509_STORE_CTX_get0_param() retrieves an internal pointer
db576632 DSH	72	to the verification parameters associated with B<ctx>.
db576632 DSH	73
186bb907	74	X509_STORE_CTX_set0_param() sets the internal verification parameter pointer
db576632 DSH	75	to B<param>. After this call B<param> should not be used.
	76
	77	X509_STORE_CTX_set_default() looks up and sets the default verification
	78	method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to
	79	find an appropriate set of parameters from B<name>.
	80
7f3f41d8 MC	81	X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
	82	that were used in building the chain following a call to X509_verify_cert().
	83
db576632 DSH	84	=head1 NOTES
	85
	86	The certificates and CRLs in a store are used internally and should B<not>
	87	be freed up until after the associated B<X509_STORE_CTX> is freed. Legacy
	88	applications might implicitly use an B<X509_STORE_CTX> like this:
	89
	90	X509_STORE_CTX ctx;
	91	X509_STORE_CTX_init(&ctx, store, cert, chain);
	92
	93	this is B<not> recommended in new applications they should instead do:
	94
	95	X509_STORE_CTX *ctx;
	96	ctx = X509_STORE_CTX_new();
	97	if (ctx == NULL)
	98	/* Bad error */
	99	X509_STORE_CTX_init(ctx, store, cert, chain);
	100
	101	=head1 BUGS
	102
	103	The certificates and CRLs in a context are used internally and should B<not>
	104	be freed up until after the associated B<X509_STORE_CTX> is freed. Copies
	105	should be made or reference counts increased instead.
	106
	107	=head1 RETURN VALUES
	108
	109	X509_STORE_CTX_new() returns an newly allocates context or B<NULL> is an
	110	error occurred.
	111
	112	X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred.
	113
	114	X509_STORE_CTX_get0_param() returns a pointer to an B<X509_VERIFY_PARAM>
	115	structure or B<NULL> if an error occurred.
	116
	117	X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(), X509_STORE_CTX_trusted_stack(),
	118	X509_STORE_CTX_set_cert(), X509_STORE_CTX_set_chain(),
	119	X509_STORE_CTX_set0_crls() and X509_STORE_CTX_set0_param() do not return
	120	values.
	121
	122	X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.
	123
7f3f41d8 MC	124	X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
	125	used.
	126
db576632 DSH	127	=head1 SEE ALSO
db576632 DSH	128
9b86974e RS	129	L<X509_verify_cert(3)>
9b86974e RS	130	L<X509_VERIFY_PARAM_set_flags(3)>
db576632 DSH	131
	132	=head1 HISTORY
	133
	134	X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0
7f3f41d8	135	X509_STORE_CTX_get_num_untrusted() was first added to OpenSSL 1.1.0
db576632 DSH	136
db576632 DSH	137	=cut