libcrypto/man/X509_STORE_CTX_set_verify.3

*3b7446eeStb.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.8 2024/06/07 05:51:39 tb Exp $
491f2bffSschwarze.\"
e38e0490Sschwarze.\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
2c347fa6Sschwarze.\" Copyright (c) 2023 Job Snijders <job@openbsd.org>
491f2bffSschwarze.\"
491f2bffSschwarze.\" Permission to use, copy, modify, and distribute this software for any
491f2bffSschwarze.\" purpose with or without fee is hereby granted, provided that the above
491f2bffSschwarze.\" copyright notice and this permission notice appear in all copies.
491f2bffSschwarze.\"
491f2bffSschwarze.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
491f2bffSschwarze.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
491f2bffSschwarze.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
491f2bffSschwarze.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
491f2bffSschwarze.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
491f2bffSschwarze.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
491f2bffSschwarze.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
491f2bffSschwarze.\"
*3b7446eeStb.Dd $Mdocdate: June 7 2024 $
491f2bffSschwarze.Dt X509_STORE_CTX_SET_VERIFY 3
491f2bffSschwarze.Os
491f2bffSschwarze.Sh NAME
491f2bffSschwarze.Nm X509_STORE_CTX_verify_fn ,
491f2bffSschwarze.Nm X509_STORE_CTX_set_verify ,
491f2bffSschwarze.Nm X509_STORE_CTX_get_verify ,
491f2bffSschwarze.Nm X509_STORE_set_verify ,
e38e0490Sschwarze.Nm X509_STORE_set_verify_func ,
efc80f80Sjob.Nm X509_STORE_get_verify ,
2c347fa6Sschwarze.Nm X509_STORE_CTX_check_issued_fn ,
efc80f80Sjob.Nm X509_STORE_set_check_issued ,
efc80f80Sjob.Nm X509_STORE_get_check_issued ,
efc80f80Sjob.Nm X509_STORE_CTX_get_check_issued
491f2bffSschwarze.Nd user-defined certificate chain verification function
491f2bffSschwarze.Sh SYNOPSIS
491f2bffSschwarze.In openssl/x509_vfy.h
491f2bffSschwarze.Ft typedef int
19a92ca5Sjsg.Fo (*X509_STORE_CTX_verify_fn)
491f2bffSschwarze.Fa "X509_STORE_CTX *ctx"
491f2bffSschwarze.Fc
491f2bffSschwarze.Ft void
491f2bffSschwarze.Fo X509_STORE_CTX_set_verify
491f2bffSschwarze.Fa "X509_STORE_CTX *ctx"
491f2bffSschwarze.Fa "X509_STORE_CTX_verify_fn verify"
491f2bffSschwarze.Fc
491f2bffSschwarze.Ft X509_STORE_CTX_verify_fn
491f2bffSschwarze.Fo X509_STORE_CTX_get_verify
491f2bffSschwarze.Fa "X509_STORE_CTX *ctx"
491f2bffSschwarze.Fc
491f2bffSschwarze.Ft void
491f2bffSschwarze.Fo X509_STORE_set_verify
491f2bffSschwarze.Fa "X509_STORE *store"
491f2bffSschwarze.Fa "X509_STORE_CTX_verify_fn verify"
491f2bffSschwarze.Fc
491f2bffSschwarze.Ft void
491f2bffSschwarze.Fo X509_STORE_set_verify_func
491f2bffSschwarze.Fa "X509_STORE *store"
491f2bffSschwarze.Fa "X509_STORE_CTX_verify_fn verify"
491f2bffSschwarze.Fc
e38e0490Sschwarze.Ft X509_STORE_CTX_verify_fn
e38e0490Sschwarze.Fo X509_STORE_get_verify
e38e0490Sschwarze.Fa "X509_STORE_CTX *ctx"
e38e0490Sschwarze.Fc
efc80f80Sjob.Ft typedef int
19a92ca5Sjsg.Fo (*X509_STORE_CTX_check_issued_fn)
efc80f80Sjob.Fa "X509_STORE_CTX *ctx"
efc80f80Sjob.Fa "X509 *subject"
efc80f80Sjob.Fa "X509 *issuer"
efc80f80Sjob.Fc
efc80f80Sjob.Ft void
efc80f80Sjob.Fo X509_STORE_set_check_issued
efc80f80Sjob.Fa "X509_STORE *store"
efc80f80Sjob.Fa "X509_STORE_CTX_check_issued_fn check_issued"
efc80f80Sjob.Fc
efc80f80Sjob.Ft X509_STORE_CTX_check_issued_fn
efc80f80Sjob.Fo X509_STORE_get_check_issued
efc80f80Sjob.Fa "X509_STORE *store"
efc80f80Sjob.Fc
efc80f80Sjob.Ft X509_STORE_CTX_check_issued_fn
efc80f80Sjob.Fo X509_STORE_CTX_get_check_issued
efc80f80Sjob.Fa "X509_STORE_CTX *ctx"
efc80f80Sjob.Fc
491f2bffSschwarze.Sh DESCRIPTION
491f2bffSschwarze.Fn X509_STORE_CTX_set_verify
491f2bffSschwarzeconfigures
491f2bffSschwarze.Fa ctx
491f2bffSschwarzeto use the
491f2bffSschwarze.Fa verify
491f2bffSschwarzeargument as the X.509 certificate chain verification function instead
491f2bffSschwarzeof the default verification function built into the library when
491f2bffSschwarze.Xr X509_verify_cert 3
491f2bffSschwarzeis called.
491f2bffSschwarze.Pp
491f2bffSschwarzeThe
491f2bffSschwarze.Fa verify
491f2bffSschwarzefunction provided by the user is only called if the
491f2bffSschwarze.Dv X509_V_FLAG_LEGACY_VERIFY
491f2bffSschwarzeor
491f2bffSschwarze.Dv X509_V_FLAG_NO_ALT_CHAINS
491f2bffSschwarzeflag was set on
491f2bffSschwarze.Fa ctx
491f2bffSschwarzeusing
491f2bffSschwarze.Xr X509_STORE_CTX_set_flags 3
491f2bffSschwarzeor
491f2bffSschwarze.Xr X509_VERIFY_PARAM_set_flags 3 .
491f2bffSschwarzeOtherwise, it is ignored and a different algorithm is used that does
491f2bffSschwarzenot support replacing the verification function.
491f2bffSschwarze.Pp
491f2bffSschwarze.Fn X509_STORE_set_verify
491f2bffSschwarzesaves the function pointer
491f2bffSschwarze.Fa verify
491f2bffSschwarzein the given
491f2bffSschwarze.Fa store
491f2bffSschwarzeobject.
491f2bffSschwarzeThat pointer will be copied to an
491f2bffSschwarze.Vt X509_STORE_CTX
491f2bffSschwarzeobject when
491f2bffSschwarze.Fa store
491f2bffSschwarzeis later passed as an argument to
491f2bffSschwarze.Xr X509_STORE_CTX_init 3 .
491f2bffSschwarze.Pp
491f2bffSschwarze.Fn X509_STORE_set_verify_func
491f2bffSschwarzeis an alias for
491f2bffSschwarze.Fn X509_STORE_set_verify
491f2bffSschwarzeimplemented as a macro.
efc80f80Sjob.Pp
efc80f80Sjob.Fn X509_STORE_set_check_issued
efc80f80Sjobsaves the function pointer
efc80f80Sjob.Fa check_issued
efc80f80Sjobin the given
efc80f80Sjob.Fa store
efc80f80Sjobobject.
efc80f80SjobThat pointer will be copied to an
efc80f80Sjob.Vt X509_STORE_CTX
efc80f80Sjobobject when
efc80f80Sjob.Fa store
efc80f80Sjobis later passed as an argument to
efc80f80Sjob.Fn X509_STORE_CTX_init 3 .
efc80f80Sjob.Pp
efc80f80SjobThe
efc80f80Sjob.Fa check_issued
efc80f80Sjobfunction provided by the user should check whether a given certificate
efc80f80Sjob.Fa subject
efc80f80Sjobwas issued using the CA certificate
efc80f80Sjob.Fa issuer ,
efc80f80Sjoband must return 0 on failure and 1 on success.
*3b7446eeStbThe default implementation ignores the
*3b7446eeStb.Fa ctx
*3b7446eeStbargument and returns success if and only if
*3b7446eeStb.Xr X509_check_issued 3
*3b7446eeStbreturns
*3b7446eeStb.Dv X509_V_OK .
*3b7446eeStbIt is important to pay close attention to the order of the
*3b7446eeStb.Fa issuer
*3b7446eeStband
*3b7446eeStb.Fa subject
*3b7446eeStbarguments.
*3b7446eeStbIn
*3b7446eeStb.Xr X509_check_issued 3
*3b7446eeStbthe
*3b7446eeStb.Fa issuer
*3b7446eeStbprecedes the
*3b7446eeStb.Fa subject
*3b7446eeStbwhile in
*3b7446eeStb.Fn check_issued
*3b7446eeStbthe
*3b7446eeStb.Fa subject
*3b7446eeStbcomes first.
491f2bffSschwarze.Sh RETURN VALUES
491f2bffSschwarze.Fn X509_STORE_CTX_verify_fn
491f2bffSschwarzeis supposed to return 1 to indicate that the chain is valid
491f2bffSschwarzeor 0 if it is not or if an error occurred.
491f2bffSschwarze.Pp
491f2bffSschwarze.Fn X509_STORE_CTX_get_verify
e38e0490Sschwarzereturns a function pointer previously set with
491f2bffSschwarze.Fn X509_STORE_CTX_set_verify
491f2bffSschwarzeor
491f2bffSschwarze.Xr X509_STORE_CTX_init 3 ,
491f2bffSschwarzeor
491f2bffSschwarze.Dv NULL
491f2bffSschwarzeif
491f2bffSschwarze.Fa ctx
491f2bffSschwarzeis uninitialized.
e38e0490Sschwarze.Pp
e38e0490Sschwarze.Fn X509_STORE_get_verify
e38e0490Sschwarzereturns the function pointer previously set with
e38e0490Sschwarze.Fn X509_STORE_set_verify ,
e38e0490Sschwarzeor
e38e0490Sschwarze.Dv NULL
e38e0490Sschwarzeif that function was not called on the
e38e0490Sschwarze.Fa store .
efc80f80Sjob.Pp
efc80f80Sjob.Fn X509_STORE_get_check_issued
efc80f80Sjobreturns the function pointer previously set with
efc80f80Sjob.Fn X509_STORE_set_check_issued ,
efc80f80Sjobor
efc80f80Sjob.Dv NULL
efc80f80Sjobif that function was not called on the
efc80f80Sjob.Fa store .
efc80f80Sjob.Pp
efc80f80Sjob.Fn X509_STORE_CTX_get_check_issued
efc80f80Sjobreturns the
efc80f80Sjob.Fn check_issued
3d9f13a7Sjobfunction pointer set on the
efc80f80Sjob.Vt X509_STORE_CTX .
efc80f80SjobThis is either the
efc80f80Sjob.Fn check_issued
efc80f80Sjobfunction inherited from the
efc80f80Sjob.Fa store
efc80f80Sjobused in
efc80f80Sjob.Xr X509_STORE_CTX_init 3
efc80f80Sjobor the library's default implementation.
491f2bffSschwarze.Sh SEE ALSO
19a92ca5Sjsg.Xr X509_check_issued 3 ,
491f2bffSschwarze.Xr X509_STORE_CTX_init 3 ,
491f2bffSschwarze.Xr X509_STORE_CTX_set_error 3 ,
491f2bffSschwarze.Xr X509_STORE_CTX_set_flags 3 ,
491f2bffSschwarze.Xr X509_STORE_CTX_set_verify_cb 3 ,
491f2bffSschwarze.Xr X509_STORE_new 3 ,
491f2bffSschwarze.Xr X509_STORE_set_flags 3 ,
491f2bffSschwarze.Xr X509_STORE_set_verify_cb 3 ,
491f2bffSschwarze.Xr X509_verify_cert 3 ,
491f2bffSschwarze.Xr X509_VERIFY_PARAM_set_flags 3
491f2bffSschwarze.Sh HISTORY
491f2bffSschwarze.Fn X509_STORE_set_verify_func
491f2bffSschwarzefirst appeared in SSLeay 0.8.0 and has been available since
491f2bffSschwarze.Ox 2.4 .
491f2bffSschwarze.Pp
491f2bffSschwarze.Fn X509_STORE_CTX_set_verify
491f2bffSschwarzeand
491f2bffSschwarze.Fn X509_STORE_CTX_get_verify
491f2bffSschwarzefirst appeared in OpenSSL 1.1.0 and have been available since
491f2bffSschwarze.Ox 7.1 .
491f2bffSschwarze.Pp
e38e0490Sschwarze.Fn X509_STORE_CTX_verify_fn ,
e38e0490Sschwarze.Fn X509_STORE_set_verify ,
491f2bffSschwarzeand
e38e0490Sschwarze.Fn X509_STORE_get_verify
491f2bffSschwarzefirst appeared in OpenSSL 1.1.0 and have been available since
e38e0490Sschwarze.Ox 7.2 .
efc80f80Sjob.Pp
efc80f80Sjob.Fn X509_STORE_set_check_issued ,
efc80f80Sjob.Fn X509_STORE_get_check_issued ,
efc80f80Sjoband
efc80f80Sjob.Fn X509_STORE_CTX_get_check_issued
efc80f80Sjobfirst appeared in OpenSSL 1.1.0 and have been available since
efc80f80Sjob.Ox 7.3 .
*3b7446eeStb.Sh BUGS
*3b7446eeStbThe reversal of order of
*3b7446eeStb.Fa subject
*3b7446eeStband
*3b7446eeStb.Fa issuer
*3b7446eeStbbetween
*3b7446eeStb.Fn check_issued
*3b7446eeStband
*3b7446eeStb.Xr X509_check_issued 3
*3b7446eeStbis very confusing.
*3b7446eeStbIt has led to bugs and will cause many more.