OpenBSD manual page server

NAME

X509_CRL_METHOD_new, X509_CRL_METHOD_free, X509_CRL_set_default_method, X509_CRL_set_meth_data, X509_CRL_get_meth_data — customize CRL handling

SYNOPSIS

#include <openssl/x509.h>

X509_CRL_METHOD *
X509_CRL_METHOD_new(int (*crl_init)(X509_CRL *crl), int (*crl_free)(X509_CRL *crl), int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *ser, X509_NAME *issuer), int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk));

void
X509_CRL_METHOD_free(X509_CRL_METHOD *method);

void
X509_CRL_set_default_method(const X509_CRL_METHOD *method);

void
X509_CRL_set_meth_data(X509_CRL *crl, void *data);

void *
X509_CRL_get_meth_data(X509_CRL *crl);

DESCRIPTION

These functions customize BER decoding and signature verification of X.509 certificate revocation lists, as well as retrieval of revoked entries from such lists.

X509_CRL_METHOD_new() allocates and initializes a new X509_CRL_METHOD object, storing the four pointers to callback functions in it that are provided as arguments.

X509_CRL_METHOD_free() frees the given method object. If method is a NULL pointer or points to the static object built into the library, no action occurs.

X509_CRL_set_default_method() designates the given method to be used for objects that will be created with X509_CRL_new(3) in the future. It has no effect on X509_CRL objects that already exist. If method is NULL, any previously installed method will no longer be used for new X509_CRL objects created in the future, and those future objects will adhere to the default behaviour instead.

The optional function crl_init() will be called at the end of d2i_X509_CRL(3), the optional function crl_free() near the end of X509_CRL_free(3), immediately before freeing crl itself. The function crl_lookup() will be called by X509_CRL_get0_by_serial(3), setting issuer to NULL, and by X509_CRL_get0_by_cert(3), both instead of performing the default action. The function crl_verify() will be called by X509_CRL_verify(3) instead of performing the default action.

X509_CRL_set_meth_data() stores the pointer to the auxiliary data inside the crl object. The pointer is expected to remain valid during the whole lifetime of the crl object but is not automatically freed when the crl object is freed.

X509_CRL_get_meth_data() retrieves the data from crl the was added with X509_CRL_set_meth_data(). This may for example be useful inside the four callback methods installed with X509_CRL_METHOD_new().

RETURN VALUES

X509_CRL_METHOD_new() returns a pointer to the new object or NULL if memory allocation fails.

X509_CRL_get_meth_data() returns the pointer previously installed with X509_CRL_set_meth_data() or NULL if X509_CRL_set_meth_data() was not called on crl.

The callback functions crl_init() and crl_free() are supposed to return 1 for success or 0 for failure.

The callback function crl_lookup() is supposed to return 0 for failure or 1 for success, except if the revoked entry has the reason "removeFromCRL", in which case it is supposed to return 2.

The callback function crl_verify() is supposed to return 1 if the signature is valid or 0 if the signature check fails. If the signature could not be checked at all because it was invalid or some other error occurred, -1 may be returned.

SEE ALSO

ASN1_INTEGER_new(3), d2i_X509_CRL(3), EVP_PKEY_new(3), X509_CRL_get0_by_serial(3), X509_CRL_new(3), X509_CRL_verify(3), X509_NAME_new(3), X509_REVOKED_new(3)

HISTORY

These functions first appeared in OpenSSL 1.0.0 and have been available since OpenBSD 4.9.