Sortix nightly manual
This manual documents Sortix nightly, a development build that has not been officially released. You can instead view this document in the latest official manual.
| X509_STORE_CTX_SET_VERIFY(3) | Library Functions Manual | X509_STORE_CTX_SET_VERIFY(3) |
NAME
X509_STORE_CTX_verify_fn,
X509_STORE_CTX_set_verify,
X509_STORE_CTX_get_verify,
X509_STORE_set_verify,
X509_STORE_set_verify_func,
X509_STORE_get_verify,
X509_STORE_CTX_check_issued_fn,
X509_STORE_set_check_issued,
X509_STORE_get_check_issued,
X509_STORE_CTX_get_check_issued —
user-defined certificate chain verification
function
SYNOPSIS
#include
<openssl/x509_vfy.h>
typedef int
(*X509_STORE_CTX_verify_fn)(X509_STORE_CTX
*ctx);
void
X509_STORE_CTX_set_verify(X509_STORE_CTX
*ctx, X509_STORE_CTX_verify_fn verify);
X509_STORE_CTX_verify_fn
X509_STORE_CTX_get_verify(X509_STORE_CTX
*ctx);
void
X509_STORE_set_verify(X509_STORE
*store, X509_STORE_CTX_verify_fn verify);
void
X509_STORE_set_verify_func(X509_STORE
*store, X509_STORE_CTX_verify_fn verify);
X509_STORE_CTX_verify_fn
X509_STORE_get_verify(X509_STORE_CTX
*ctx);
typedef int
(*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX
*ctx, X509 *subject, X509
*issuer);
void
X509_STORE_set_check_issued(X509_STORE
*store, X509_STORE_CTX_check_issued_fn
check_issued);
X509_STORE_CTX_check_issued_fn
X509_STORE_get_check_issued(X509_STORE
*store);
X509_STORE_CTX_check_issued_fn
X509_STORE_CTX_get_check_issued(X509_STORE_CTX
*ctx);
DESCRIPTION
X509_STORE_CTX_set_verify()
configures ctx to use the verify
argument as the X.509 certificate chain verification function instead of the
default verification function built into the library when
X509_verify_cert(3)
is called.
The verify function provided by the user is
only called if the X509_V_FLAG_LEGACY_VERIFY or
X509_V_FLAG_NO_ALT_CHAINS flag was set on
ctx using
X509_STORE_CTX_set_flags(3)
or
X509_VERIFY_PARAM_set_flags(3).
Otherwise, it is ignored and a different algorithm is used that does not
support replacing the verification function.
X509_STORE_set_verify()
saves the function pointer verify in the given
store object. That pointer will be copied to an
X509_STORE_CTX object when store
is later passed as an argument to
X509_STORE_CTX_init(3).
X509_STORE_set_verify_func()
is an alias for X509_STORE_set_verify() implemented
as a macro.
X509_STORE_set_check_issued()
saves the function pointer check_issued in the given
store object. That pointer will be copied to an
X509_STORE_CTX object when store
is later passed as an argument to
X509_STORE_CTX_init(3).
The check_issued function
provided by the user should check whether a given certificate
subject was issued using the CA certificate
issuer, and must return 0 on failure and 1 on success.
The default implementation ignores the ctx argument
and returns success if and only if
X509_check_issued(3)
returns X509_V_OK. It is important to pay close
attention to the order of the issuer and
subject arguments. In
X509_check_issued(3)
the issuer precedes the subject
while in
check_issued()
the subject comes first.
RETURN VALUES
X509_STORE_CTX_verify_fn() is supposed to
return 1 to indicate that the chain is valid or 0 if it is not or if an
error occurred.
X509_STORE_CTX_get_verify() returns a
function pointer previously set with
X509_STORE_CTX_set_verify() or
X509_STORE_CTX_init(3),
or NULL if ctx is
uninitialized.
X509_STORE_get_verify() returns the
function pointer previously set with
X509_STORE_set_verify(), or
NULL if that function was not called on the
store.
X509_STORE_get_check_issued() returns the
function pointer previously set with
X509_STORE_set_check_issued(), or
NULL if that function was not called on the
store.
X509_STORE_CTX_get_check_issued() returns
the check_issued() function pointer set on the
X509_STORE_CTX. This is either the
check_issued() function inherited from the
store used in
X509_STORE_CTX_init(3)
or the library's default implementation.
SEE ALSO
X509_check_issued(3), X509_STORE_CTX_init(3), X509_STORE_CTX_set_error(3), X509_STORE_CTX_set_flags(3), X509_STORE_CTX_set_verify_cb(3), X509_STORE_new(3), X509_STORE_set_flags(3), X509_STORE_set_verify_cb(3), X509_verify_cert(3), X509_VERIFY_PARAM_set_flags(3)
HISTORY
X509_STORE_set_verify_func() first
appeared in SSLeay 0.8.0 and has been available since
OpenBSD 2.4.
X509_STORE_CTX_set_verify() and
X509_STORE_CTX_get_verify() first appeared in
OpenSSL 1.1.0 and have been available since OpenBSD
7.1.
X509_STORE_CTX_verify_fn(),
X509_STORE_set_verify(), and
X509_STORE_get_verify() first appeared in OpenSSL
1.1.0 and have been available since OpenBSD 7.2.
X509_STORE_set_check_issued(),
X509_STORE_get_check_issued(), and
X509_STORE_CTX_get_check_issued() first appeared in
OpenSSL 1.1.0 and have been available since OpenBSD
7.3.
BUGS
The reversal of order of subject and
issuer between check_issued()
and
X509_check_issued(3)
is very confusing. It has led to bugs and will cause many more.
| June 7, 2024 | Sortix 1.1.0-dev |