OpenBSD manual page server

Manual Page Search Parameters
X509_STORE_GET_BY_SUBJECT(3) Library Functions Manual X509_STORE_GET_BY_SUBJECT(3)

X509_STORE_get_by_subject, X509_STORE_get1_certs, X509_STORE_get1_crls, X509_STORE_CTX_get1_issuerretrieve objects from a certificate store

#include <openssl/x509_vfy.h>

int
X509_STORE_get_by_subject(X509_STORE_CTX *ctx, int type, X509_NAME *name, X509_OBJECT *object);

STACK_OF(X509) *
X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *name);

STACK_OF(X509_CRL) *
X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *name);

int
X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *certificate);

() retrieves the first object having a matching type and name from the X509_STORE associated with the ctx. The type can be X509_LU_X509 to retrieve a certificate or X509_LU_CRL to retrieve a revocation list.

If the store does not yet contain a matching object or if the type is X509_LU_CRL, X509_LOOKUP_by_subject(3) is called on X509_LOOKUP objects associated with the store until a match is found, which may add zero or more objects to the store.

In case of success, the content of the object provided by the caller is overwritten with a pointer to the first match, and the reference count of that certificate or revocation list is incremented by 1. Avoiding a memory leak by making sure the provided object is empty is the responsibility of the caller.

() retrieves all certificates matching the subject name from the X509_STORE associated with ctx. If there are none yet, X509_STORE_get_by_subject() is called to try and add some. In case of success, the reference counts of all certificates added to the returned array are incremented by 1.

() is similar except that it operates on certificate revocation lists rather than on certificates and that it always calls X509_STORE_get_by_subject(), even if the X509_STORE already contains a matching revocation list.

() retrieves the issuer CA certificate for the given certificate from the X509_STORE associated with ctx. Internally, the issuer name is retrieved with X509_get_issuer_name(3) and the candidate issuer CA certificate with X509_STORE_get_by_subject() using that issuer name. X509_check_issued(3) or a user-supplied replacement function is used to check whether the certificate was indeed issued using the issuer CA certificate before returning it. If verification parameters associated with ctx encourage checking of validity times, CAs with a valid time are preferred, but if no matching CA has a valid time, one with an invalid time is accepted anyway.

X509_STORE_get_by_subject() returns 1 if a match is found or 0 on failure. In addition to simply not finding a match, it may also fail due to memory allocation failure in X509_LOOKUP_by_subject(3). If ctx contains any X509_LOOKUP object using a user-defined X509_LOOKUP_METHOD, it might also return negative values for internal errors.

X509_STORE_get1_certs() returns a newly allocated and populated array of certificates or NULL on failure. It fails if no match is found, if X509_STORE_get_by_subject() fails, or if memory allocation fails.

X509_STORE_get1_crls() returns a newly allocated and populated array of CRLs or NULL on failure. It fails if X509_STORE_get_by_subject() finds no new match, even if the associated X509_STORE already contains matching CRLs, or if memory allocation fails.

X509_STORE_CTX_get1_issuer() returns 1 if a matching issuer CA certificate is found or 0 otherwise. If ctx contains any X509_LOOKUP object using a user-defined X509_LOOKUP_METHOD, it might also return negative values for internal errors.

STACK_OF(3), X509_check_issued(3), X509_CRL_new(3), X509_get_issuer_name(3), X509_LOOKUP_by_subject(3), X509_NAME_new(3), X509_new(3), X509_OBJECT_retrieve_by_subject(3), X509_STORE_CTX_new(3), X509_VERIFY_PARAM_set_flags(3)

X509_STORE_get_by_subject() first appeared in SSLeay 0.8.0 and has been available since OpenBSD 2.4.

X509_STORE_CTX_get1_issuer() first appeared in OpenSSL 0.9.6 and has been available since OpenBSD 2.9.

X509_STORE_get1_certs() and X509_STORE_get1_crls() first appeared in OpenSSL 1.0.0 and have been available since OpenBSD 4.9.

August 2, 2021 OpenBSD-7.0