OpenBSD manual page server

Manual Page Search Parameters

X509_STORE_CTX_SET_VERIFY(3) Library Functions Manual X509_STORE_CTX_SET_VERIFY(3)

X509_STORE_CTX_verify_fn, X509_STORE_CTX_set_verify, X509_STORE_CTX_get_verify, X509_STORE_set_verify, X509_STORE_set_verify_func, X509_STORE_get_verify, X509_STORE_CTX_check_issued_fn, X509_STORE_set_check_issued, X509_STORE_get_check_issued, X509_STORE_CTX_get_check_issueduser-defined certificate chain verification function

#include <openssl/x509_vfy.h>

typedef int
(*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *ctx);

void
X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);

X509_STORE_CTX_verify_fn
X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx);

void
X509_STORE_set_verify(X509_STORE *store, X509_STORE_CTX_verify_fn verify);

void
X509_STORE_set_verify_func(X509_STORE *store, X509_STORE_CTX_verify_fn verify);

X509_STORE_CTX_verify_fn
X509_STORE_get_verify(X509_STORE_CTX *ctx);

typedef int
(*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer);

void
X509_STORE_set_check_issued(X509_STORE *store, X509_STORE_CTX_check_issued_fn check_issued);

X509_STORE_CTX_check_issued_fn
X509_STORE_get_check_issued(X509_STORE *store);

X509_STORE_CTX_check_issued_fn
X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);

() configures ctx to use the verify argument as the X.509 certificate chain verification function instead of the default verification function built into the library when X509_verify_cert(3) is called.

The verify function provided by the user is only called if the X509_V_FLAG_LEGACY_VERIFY or X509_V_FLAG_NO_ALT_CHAINS flag was set on ctx using X509_STORE_CTX_set_flags(3) or X509_VERIFY_PARAM_set_flags(3). Otherwise, it is ignored and a different algorithm is used that does not support replacing the verification function.

() saves the function pointer verify in the given store object. That pointer will be copied to an X509_STORE_CTX object when store is later passed as an argument to X509_STORE_CTX_init(3).

() is an alias for X509_STORE_set_verify() implemented as a macro.

() saves the function pointer check_issued in the given store object. That pointer will be copied to an X509_STORE_CTX object when store is later passed as an argument to (3).

The check_issued function provided by the user should check whether a given certificate subject was issued using the CA certificate issuer, and must return 0 on failure and 1 on success. The default implementation ignores the ctx argument and returns success if and only if X509_check_issued(3) returns X509_V_OK. It is important to pay close attention to the order of the issuer and subject arguments. In X509_check_issued(3) the issuer precedes the subject while in () the subject comes first.

X509_STORE_CTX_verify_fn() is supposed to return 1 to indicate that the chain is valid or 0 if it is not or if an error occurred.

X509_STORE_CTX_get_verify() returns a function pointer previously set with X509_STORE_CTX_set_verify() or X509_STORE_CTX_init(3), or NULL if ctx is uninitialized.

X509_STORE_get_verify() returns the function pointer previously set with X509_STORE_set_verify(), or NULL if that function was not called on the store.

X509_STORE_get_check_issued() returns the function pointer previously set with X509_STORE_set_check_issued(), or NULL if that function was not called on the store.

X509_STORE_CTX_get_check_issued() returns the check_issued() function pointer set on the X509_STORE_CTX. This is either the check_issued() function inherited from the store used in X509_STORE_CTX_init(3) or the library's default implementation.

X509_check_issued(3), X509_STORE_CTX_init(3), X509_STORE_CTX_set_error(3), X509_STORE_CTX_set_flags(3), X509_STORE_CTX_set_verify_cb(3), X509_STORE_new(3), X509_STORE_set_flags(3), X509_STORE_set_verify_cb(3), X509_verify_cert(3), X509_VERIFY_PARAM_set_flags(3)

X509_STORE_set_verify_func() first appeared in SSLeay 0.8.0 and has been available since OpenBSD 2.4.

X509_STORE_CTX_set_verify() and X509_STORE_CTX_get_verify() first appeared in OpenSSL 1.1.0 and have been available since OpenBSD 7.1.

X509_STORE_CTX_verify_fn(), X509_STORE_set_verify(), and X509_STORE_get_verify() first appeared in OpenSSL 1.1.0 and have been available since OpenBSD 7.2.

X509_STORE_set_check_issued(), X509_STORE_get_check_issued(), and X509_STORE_CTX_get_check_issued() first appeared in OpenSSL 1.1.0 and have been available since OpenBSD 7.3.

The reversal of order of subject and issuer between check_issued() and X509_check_issued(3) is very confusing. It has led to bugs and will cause many more.

June 7, 2024 OpenBSD-current