[thirdparty/openssl.git] / doc / man3 / X509_verify_cert.pod

=pod

=head1 NAME

X509_build_chain,
X509_verify_cert,
X509_STORE_CTX_verify - build and verify X509 certificate chain

=head1 SYNOPSIS

 #include <openssl/x509_vfy.h>

 STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs,
                                  X509_STORE *store, int with_self_signed,
                                  OSSL_LIB_CTX *libctx, const char *propq);
 int X509_verify_cert(X509_STORE_CTX *ctx);
 int X509_STORE_CTX_verify(X509_STORE_CTX *ctx);

=head1 DESCRIPTION

X509_build_chain() builds a certificate chain starting from I<target>
using the optional list of intermediate CA certificates I<certs>.
If I<store> is NULL it builds the chain as far down as possible, ignoring errors.
Else the chain must reach a trust anchor contained in I<store>.
It internally uses a B<X509_STORE_CTX> structure associated with the library
context I<libctx> and property query string I<propq>, both of which may be NULL.
In case there is more than one possibility for the chain, only one is taken.

On success it returns a pointer to a new stack of (up_ref'ed) certificates
starting with I<target> and followed by all available intermediate certificates.
A self-signed trust anchor is included only if I<target> is the trust anchor
of I<with_self_signed> is 1.
If a non-NULL stack is returned the caller is responsible for freeing it.

The X509_verify_cert() function attempts to discover and validate a
certificate chain based on parameters in I<ctx>.
The verification context, of type B<X509_STORE_CTX>, can be constructed
using L<X509_STORE_CTX_new(3)> and L<X509_STORE_CTX_init(3)>.
It usually includes a target certificate to be verified,
a set of certificates serving as trust anchors,
a list of non-trusted certificates that may be helpful for chain construction,
flags such as X509_V_FLAG_X509_STRICT, and various other optional components
such as a callback function that allows customizing the verification outcome.
A complete description of the certificate verification process is contained in
the L<openssl-verification-options(1)> manual page.

Applications rarely call this function directly but it is used by
OpenSSL internally for certificate validation, in both the S/MIME and
SSL/TLS code.

A negative return value from X509_verify_cert() can occur if it is invoked
incorrectly, such as with no certificate set in I<ctx>, or when it is called
twice in succession without reinitialising I<ctx> for the second call.
A negative return value can also happen due to internal resource problems
or because an internal inconsistency has been detected.
Applications must interpret any return value <= 0 as an error.

The X509_STORE_CTX_verify() behaves like X509_verify_cert() except that its
target certificate is the first element of the list of untrusted certificates
in I<ctx> unless a target certificate is set explicitly.

When the verification target is a raw public key, rather than a certificate,
both functions validate the target raw public key.
In that case the number of possible checks is significantly reduced.
The raw public key can be authenticated only via DANE TLSA records, either
locally synthesised or obtained by the application from DNS.
Raw public key DANE TLSA records may be added via L<SSL_add_expected_rpk(3)> or
L<SSL_dane_tlsa_add(3)>.

=head1 RETURN VALUES

X509_build_chain() returns NULL on error, else a stack of certificates.

Both X509_verify_cert() and X509_STORE_CTX_verify()
return 1 if a complete chain can be built and validated,
otherwise they return 0, and in exceptional circumstances (such as malloc
failure and internal errors) they can also return a negative code.

If a complete chain can be built and validated both functions return 1.
If the certificate must be rejected on the basis of the data available
or any required certificate status data is not available they return 0.
If no definite answer possible they usually return a negative code.

On error or failure additional error information can be obtained by
examining I<ctx> using, for example, L<X509_STORE_CTX_get_error(3)>.  Even if
verification indicated success, the stored error code may be different from
X509_V_OK, likely because a verification callback function has waived the error.

=head1 SEE ALSO

L<SSL_add_expected_rpk(3)>,
L<SSL_CTX_dane_enable(3)>,
L<SSL_dane_tlsa_add(3)>,
L<X509_STORE_CTX_new(3)>,
L<X509_STORE_CTX_init(3)>,
L<X509_STORE_CTX_init_rpk(3)>,
L<X509_STORE_CTX_get_error(3)>

=head1 HISTORY

X509_build_chain() and X509_STORE_CTX_verify() were added in OpenSSL 3.0.

=head1 COPYRIGHT

Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
b8c182a4 DSH	1	=pod
	2
	3	=head1 NAME
	4
1c0eede9	5	X509_build_chain,
11ddbf84	6	X509_verify_cert,
1c0eede9	7	X509_STORE_CTX_verify - build and verify X509 certificate chain
b8c182a4 DSH	8
	9	=head1 SYNOPSIS
	10
11ddbf84	11	#include <openssl/x509_vfy.h>
b8c182a4	12
1c0eede9 DDO	13	STACK_OF(X509) X509_build_chain(X509 target, STACK_OF(X509) *certs,
	14	X509_STORE *store, int with_self_signed,
	15	OSSL_LIB_CTX libctx, const char propq);
b8c182a4	16	int X509_verify_cert(X509_STORE_CTX *ctx);
11ddbf84	17	int X509_STORE_CTX_verify(X509_STORE_CTX *ctx);
b8c182a4 DSH	18
	19	=head1 DESCRIPTION
	20
1c0eede9 DDO	21	X509_build_chain() builds a certificate chain starting from I<target>
	22	using the optional list of intermediate CA certificates I<certs>.
	23	If I<store> is NULL it builds the chain as far down as possible, ignoring errors.
	24	Else the chain must reach a trust anchor contained in I<store>.
	25	It internally uses a B<X509_STORE_CTX> structure associated with the library
	26	context I<libctx> and property query string I<propq>, both of which may be NULL.
	27	In case there is more than one possibility for the chain, only one is taken.
	28
	29	On success it returns a pointer to a new stack of (up_ref'ed) certificates
	30	starting with I<target> and followed by all available intermediate certificates.
	31	A self-signed trust anchor is included only if I<target> is the trust anchor
	32	of I<with_self_signed> is 1.
	33	If a non-NULL stack is returned the caller is responsible for freeing it.
	34
b8c182a4	35	The X509_verify_cert() function attempts to discover and validate a
11ddbf84	36	certificate chain based on parameters in I<ctx>.
bbc83434 DO	37	The verification context, of type B<X509_STORE_CTX>, can be constructed
bbc83434 DO	38	using L<X509_STORE_CTX_new(3)> and L<X509_STORE_CTX_init(3)>.
11ddbf84 DDO	39	It usually includes a target certificate to be verified,
	40	a set of certificates serving as trust anchors,
	41	a list of non-trusted certificates that may be helpful for chain construction,
bbc83434 DO	42	flags such as X509_V_FLAG_X509_STRICT, and various other optional components
	43	such as a callback function that allows customizing the verification outcome.
	44	A complete description of the certificate verification process is contained in
b6f18ed2	45	the L<openssl-verification-options(1)> manual page.
b8c182a4	46
b8c182a4 DSH	47	Applications rarely call this function directly but it is used by
	48	OpenSSL internally for certificate validation, in both the S/MIME and
	49	SSL/TLS code.
	50
5fba3912	51	A negative return value from X509_verify_cert() can occur if it is invoked
11ddbf84 DDO	52	incorrectly, such as with no certificate set in I<ctx>, or when it is called
11ddbf84 DDO	53	twice in succession without reinitialising I<ctx> for the second call.
7e365d51	54	A negative return value can also happen due to internal resource problems
dfb39f73	55	or because an internal inconsistency has been detected.
7e365d51	56	Applications must interpret any return value <= 0 as an error.
b8c182a4	57
11ddbf84 DDO	58	The X509_STORE_CTX_verify() behaves like X509_verify_cert() except that its
	59	target certificate is the first element of the list of untrusted certificates
	60	in I<ctx> unless a target certificate is set explicitly.
21d08b9e	61
3c95ef22 TS	62	When the verification target is a raw public key, rather than a certificate,
	63	both functions validate the target raw public key.
	64	In that case the number of possible checks is significantly reduced.
	65	The raw public key can be authenticated only via DANE TLSA records, either
	66	locally synthesised or obtained by the application from DNS.
	67	Raw public key DANE TLSA records may be added via L<SSL_add_expected_rpk(3)> or
	68	L<SSL_dane_tlsa_add(3)>.
	69
11ddbf84	70	=head1 RETURN VALUES
21d08b9e	71
1c0eede9 DDO	72	X509_build_chain() returns NULL on error, else a stack of certificates.
	73
	74	Both X509_verify_cert() and X509_STORE_CTX_verify()
	75	return 1 if a complete chain can be built and validated,
11ddbf84 DDO	76	otherwise they return 0, and in exceptional circumstances (such as malloc
11ddbf84 DDO	77	failure and internal errors) they can also return a negative code.
b8c182a4	78
7e365d51 DDO	79	If a complete chain can be built and validated both functions return 1.
	80	If the certificate must be rejected on the basis of the data available
	81	or any required certificate status data is not available they return 0.
	82	If no definite answer possible they usually return a negative code.
	83
11ddbf84	84	On error or failure additional error information can be obtained by
990a15fe DDO	85	examining I<ctx> using, for example, L<X509_STORE_CTX_get_error(3)>. Even if
	86	verification indicated success, the stored error code may be different from
	87	X509_V_OK, likely because a verification callback function has waived the error.
b8c182a4 DSH	88
	89	=head1 SEE ALSO
	90
3c95ef22 TS	91	L<SSL_add_expected_rpk(3)>,
	92	L<SSL_CTX_dane_enable(3)>,
	93	L<SSL_dane_tlsa_add(3)>,
	94	L<X509_STORE_CTX_new(3)>,
	95	L<X509_STORE_CTX_init(3)>,
	96	L<X509_STORE_CTX_init_rpk(3)>,
9b86974e	97	L<X509_STORE_CTX_get_error(3)>
b8c182a4	98
11ddbf84 DDO	99	=head1 HISTORY
11ddbf84 DDO	100
1c0eede9	101	X509_build_chain() and X509_STORE_CTX_verify() were added in OpenSSL 3.0.
11ddbf84	102
e2f92610 RS	103	=head1 COPYRIGHT
e2f92610 RS	104
3c95ef22	105	Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	106
4746f25a	107	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	108	this file except in compliance with the License. You can obtain a copy
	109	in the file LICENSE in the source distribution or at
	110	L<https://www.openssl.org/source/license.html>.
	111
	112	=cut