NAME
X509_STORE_CTX_verify_fn
,
X509_STORE_CTX_set_verify
,
X509_STORE_CTX_get_verify
,
X509_STORE_set_verify
,
X509_STORE_set_verify_func
,
X509_STORE_get_verify
,
X509_STORE_CTX_check_issued_fn
,
X509_STORE_set_check_issued
,
X509_STORE_get_check_issued
,
X509_STORE_CTX_get_check_issued
—
user-defined certificate chain
verification function
SYNOPSIS
#include
<openssl/x509_vfy.h>
typedef int
(*X509_STORE_CTX_verify_fn)
(X509_STORE_CTX
*ctx);
void
X509_STORE_CTX_set_verify
(X509_STORE_CTX
*ctx, X509_STORE_CTX_verify_fn verify);
X509_STORE_CTX_verify_fn
X509_STORE_CTX_get_verify
(X509_STORE_CTX
*ctx);
void
X509_STORE_set_verify
(X509_STORE
*store, X509_STORE_CTX_verify_fn verify);
void
X509_STORE_set_verify_func
(X509_STORE
*store, X509_STORE_CTX_verify_fn verify);
X509_STORE_CTX_verify_fn
X509_STORE_get_verify
(X509_STORE_CTX
*ctx);
typedef int
(*X509_STORE_CTX_check_issued_fn)
(X509_STORE_CTX
*ctx, X509 *subject, X509
*issuer);
void
X509_STORE_set_check_issued
(X509_STORE
*store, X509_STORE_CTX_check_issued_fn
check_issued);
X509_STORE_CTX_check_issued_fn
X509_STORE_get_check_issued
(X509_STORE
*store);
X509_STORE_CTX_check_issued_fn
X509_STORE_CTX_get_check_issued
(X509_STORE_CTX
*ctx);
DESCRIPTION
X509_STORE_CTX_set_verify
()
configures ctx to use the verify
argument as the X.509 certificate chain verification function instead of the
default verification function built into the library when
X509_verify_cert(3) is called.
The verify function provided by the user is
only called if the X509_V_FLAG_LEGACY_VERIFY
or
X509_V_FLAG_NO_ALT_CHAINS
flag was set on
ctx using
X509_STORE_CTX_set_flags(3) or
X509_VERIFY_PARAM_set_flags(3). Otherwise, it is ignored and
a different algorithm is used that does not support replacing the
verification function.
X509_STORE_set_verify
()
saves the function pointer verify in the given
store object. That pointer will be copied to an
X509_STORE_CTX object when store
is later passed as an argument to
X509_STORE_CTX_init(3).
X509_STORE_set_verify_func
()
is an alias for X509_STORE_set_verify
() implemented
as a macro.
X509_STORE_set_check_issued
()
saves the function pointer check_issued in the given
store object. That pointer will be copied to an
X509_STORE_CTX object when store
is later passed as an argument to
X509_STORE_CTX_init
(3).
The check_issued function
provided by the user should check whether a given certificate
subject was issued using the CA certificate
issuer, and must return 0 on failure and 1 on success.
The default implementation ignores the ctx argument
and returns success if and only if
X509_check_issued(3) returns
X509_V_OK
. It is important to pay close attention to
the order of the issuer and
subject arguments. In
X509_check_issued(3) the issuer
precedes the subject while in
check_issued
()
the subject comes first.
RETURN VALUES
X509_STORE_CTX_verify_fn
() is supposed to
return 1 to indicate that the chain is valid or 0 if it is not or if an
error occurred.
X509_STORE_CTX_get_verify
() returns a
function pointer previously set with
X509_STORE_CTX_set_verify
() or
X509_STORE_CTX_init(3), or NULL
if
ctx is uninitialized.
X509_STORE_get_verify
() returns the
function pointer previously set with
X509_STORE_set_verify
(), or
NULL
if that function was not called on the
store.
X509_STORE_get_check_issued
() returns the
function pointer previously set with
X509_STORE_set_check_issued
(), or
NULL
if that function was not called on the
store.
X509_STORE_CTX_get_check_issued
() returns
the check_issued
() function pointer set on the
X509_STORE_CTX. This is either the
check_issued
() function inherited from the
store used in
X509_STORE_CTX_init(3) or the library's default
implementation.
SEE ALSO
X509_check_issued(3), X509_STORE_CTX_init(3), X509_STORE_CTX_set_error(3), X509_STORE_CTX_set_flags(3), X509_STORE_CTX_set_verify_cb(3), X509_STORE_new(3), X509_STORE_set_flags(3), X509_STORE_set_verify_cb(3), X509_verify_cert(3), X509_VERIFY_PARAM_set_flags(3)
HISTORY
X509_STORE_set_verify_func
() first
appeared in SSLeay 0.8.0 and has been available since
OpenBSD 2.4.
X509_STORE_CTX_set_verify
() and
X509_STORE_CTX_get_verify
() first appeared in
OpenSSL 1.1.0 and have been available since OpenBSD
7.1.
X509_STORE_CTX_verify_fn
(),
X509_STORE_set_verify
(), and
X509_STORE_get_verify
() first appeared in OpenSSL
1.1.0 and have been available since OpenBSD 7.2.
X509_STORE_set_check_issued
(),
X509_STORE_get_check_issued
(), and
X509_STORE_CTX_get_check_issued
() first appeared in
OpenSSL 1.1.0 and have been available since OpenBSD
7.3.
BUGS
The reversal of order of subject and
issuer between check_issued
()
and
X509_check_issued(3) is very confusing. It has led to bugs
and will cause many more.