1.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.22 2022/02/03 18:05:31 tb Exp $ 2.\" full merge up to: 3.\" OpenSSL man3/X509_STORE_CTX_get_error 24a535ea Sep 22 13:14:20 2020 +0100 4.\" OpenSSL man3/X509_STORE_CTX_new 24a535ea Sep 22 13:14:20 2020 +0100 5.\" 6.\" This file is a derived work. 7.\" The changes are covered by the following Copyright and license: 8.\" 9.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org> 10.\" 11.\" Permission to use, copy, modify, and distribute this software for any 12.\" purpose with or without fee is hereby granted, provided that the above 13.\" copyright notice and this permission notice appear in all copies. 14.\" 15.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 16.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 17.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 18.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 19.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22.\" 23.\" The original file was written by Dr. Stephen Henson <steve@openssl.org> 24.\" and Rich Salz <rsalz@openssl.org>. 25.\" Copyright (c) 2009, 2016 The OpenSSL Project. All rights reserved. 26.\" 27.\" Redistribution and use in source and binary forms, with or without 28.\" modification, are permitted provided that the following conditions 29.\" are met: 30.\" 31.\" 1. Redistributions of source code must retain the above copyright 32.\" notice, this list of conditions and the following disclaimer. 33.\" 34.\" 2. Redistributions in binary form must reproduce the above copyright 35.\" notice, this list of conditions and the following disclaimer in 36.\" the documentation and/or other materials provided with the 37.\" distribution. 38.\" 39.\" 3. All advertising materials mentioning features or use of this 40.\" software must display the following acknowledgment: 41.\" "This product includes software developed by the OpenSSL Project 42.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 43.\" 44.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 45.\" endorse or promote products derived from this software without 46.\" prior written permission. For written permission, please contact 47.\" openssl-core@openssl.org. 48.\" 49.\" 5. Products derived from this software may not be called "OpenSSL" 50.\" nor may "OpenSSL" appear in their names without prior written 51.\" permission of the OpenSSL Project. 52.\" 53.\" 6. Redistributions of any form whatsoever must retain the following 54.\" acknowledgment: 55.\" "This product includes software developed by the OpenSSL Project 56.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" 57.\" 58.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 59.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 60.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 61.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 62.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 63.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 64.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 65.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 66.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 67.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 68.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 69.\" OF THE POSSIBILITY OF SUCH DAMAGE. 70.\" 71.Dd $Mdocdate: February 3 2022 $ 72.Dt X509_STORE_CTX_GET_ERROR 3 73.Os 74.Sh NAME 75.Nm X509_STORE_CTX_get_error , 76.Nm X509_STORE_CTX_set_error , 77.Nm X509_STORE_CTX_get_error_depth , 78.Nm X509_STORE_CTX_set_error_depth , 79.Nm X509_STORE_CTX_get_current_cert , 80.Nm X509_STORE_CTX_set_current_cert , 81.Nm X509_STORE_CTX_get0_current_issuer , 82.Nm X509_STORE_CTX_get0_current_crl , 83.Nm X509_STORE_CTX_get0_parent_ctx , 84.Nm X509_STORE_CTX_get_num_untrusted , 85.Nm X509_STORE_CTX_get0_chain , 86.Nm X509_STORE_CTX_get_chain , 87.Nm X509_STORE_CTX_get1_chain , 88.Nm X509_STORE_CTX_set0_verified_chain , 89.Nm X509_STORE_CTX_get0_policy_tree , 90.Nm X509_STORE_CTX_get_explicit_policy , 91.Nm X509_verify_cert_error_string 92.Nd get or set certificate verification status information 93.Sh SYNOPSIS 94.In openssl/x509_vfy.h 95.Ft int 96.Fo X509_STORE_CTX_get_error 97.Fa "X509_STORE_CTX *ctx" 98.Fc 99.Ft void 100.Fo X509_STORE_CTX_set_error 101.Fa "X509_STORE_CTX *ctx" 102.Fa "int s" 103.Fc 104.Ft int 105.Fo X509_STORE_CTX_get_error_depth 106.Fa "X509_STORE_CTX *ctx" 107.Fc 108.Ft void 109.Fo X509_STORE_CTX_set_error_depth 110.Fa "X509_STORE_CTX *ctx" 111.Fa "int depth" 112.Fc 113.Ft X509 * 114.Fo X509_STORE_CTX_get_current_cert 115.Fa "X509_STORE_CTX *ctx" 116.Fc 117.Ft void 118.Fo X509_STORE_CTX_set_current_cert 119.Fa "X509_STORE_CTX *ctx" 120.Fa "X509 *cert" 121.Fc 122.Ft X509 * 123.Fo X509_STORE_CTX_get0_current_issuer 124.Fa "X509_STORE_CTX *ctx" 125.Fc 126.Ft X509_CRL * 127.Fo X509_STORE_CTX_get0_current_crl 128.Fa "X509_STORE_CTX *ctx" 129.Fc 130.Ft X509_STORE_CTX * 131.Fo X509_STORE_CTX_get0_parent_ctx 132.Fa "X509_STORE_CTX *ctx" 133.Fc 134.Ft int 135.Fo X509_STORE_CTX_get_num_untrusted 136.Fa "X509_STORE_CTX *ctx" 137.Fc 138.Ft STACK_OF(X509) * 139.Fo X509_STORE_CTX_get0_chain 140.Fa "X509_STORE_CTX *ctx" 141.Fc 142.Ft STACK_OF(X509) * 143.Fo X509_STORE_CTX_get_chain 144.Fa "X509_STORE_CTX *ctx" 145.Fc 146.Ft STACK_OF(X509) * 147.Fo X509_STORE_CTX_get1_chain 148.Fa "X509_STORE_CTX *ctx" 149.Fc 150.Ft void 151.Fo X509_STORE_CTX_set0_verified_chain 152.Fa "X509_STORE_CTX *ctx" 153.Fa "STACK_OF(X509) *chain" 154.Fc 155.Ft X509_POLICY_TREE * 156.Fo X509_STORE_CTX_get0_policy_tree 157.Fa "X509_STORE_CTX *ctx" 158.Fc 159.Ft int 160.Fo X509_STORE_CTX_get_explicit_policy 161.Fa "X509_STORE_CTX *ctx" 162.Fc 163.In openssl/x509.h 164.Ft const char * 165.Fo X509_verify_cert_error_string 166.Fa "long n" 167.Fc 168.Sh DESCRIPTION 169Most of these functions are typically called after 170.Xr X509_verify_cert 3 171to inspect status information related to certificate verification. 172Some may also be called in a verification callback to determine the 173nature of an error. 174.Pp 175.Fn X509_STORE_CTX_get_error 176returns the error code of 177.Fa ctx . 178See the 179.Sy ERROR CODES 180section for a full description of all error codes. 181.Pp 182.Fn X509_STORE_CTX_set_error 183sets the error code of 184.Fa ctx 185to 186.Fa s . 187For example it might be used in a verification callback to set an error 188based on additional checks. 189.Pp 190.Fn X509_STORE_CTX_get_error_depth 191returns the depth of the error. 192This is a non-negative integer representing where in the certificate 193chain the error occurred. 194If it is zero, it occurred in the end entity certificate, one if it is 195the certificate which signed the end entity certificate, and so on. 196.Pp 197.Fn X509_STORE_CTX_set_error_depth 198sets the error depth. 199This can be used in combination with 200.Fn X509_STORE_CTX_set_error 201to set the depth at which an error condition was detected. 202.Pp 203.Fn X509_STORE_CTX_get_current_cert 204returns the certificate in 205.Fa ctx 206which caused the error or 207.Dv NULL 208if no certificate is relevant. 209.Pp 210.Fn X509_STORE_CTX_set_current_cert 211sets the certificate which caused the error in 212.Fa ctx 213to the given 214.Fa cert . 215This value is not intended to remain valid for very long, 216and remains owned by the caller. 217It may be examined by a verification callback invoked to handle 218each error encountered during chain verification and is no longer 219required after such a callback. 220If a callback wishes the save the certificate for use after it returns, 221it needs to increment its reference count via 222.Xr X509_up_ref 3 . 223Once such a saved certificate is no longer needed, it can be freed with 224.Xr X509_free 3 . 225.Pp 226.Fn X509_STORE_CTX_get0_current_issuer 227returns the certificate that caused issuer validation to fail or 228.Dv NULL 229if no CA certificate is relevant. 230.Pp 231.Fn X509_STORE_CTX_get0_current_crl 232returns the certificate revocation list that caused CRL checking to fail or 233.Dv NULL 234if no CRL is relevant. 235.Pp 236When, during certification path validation, the need arises to check 237the validity of the certification path of a CRL issuer certificate, 238the library creates a new, temporary 239.Vt X509_STORE_CTX 240object. 241If 242.Fn X509_STORE_CTX_get0_parent_ctx 243is called on that temporary object, a pointer to the original 244certification path validation context is returned. 245This may be useful in callback functions called from 246.Xr X509_verify_cert 3 247or from its subroutines to find out whether the callback is called 248from the path validation of the target certificate or from the path 249validation of a related CRL issuer certificate, and if the latter, 250what the target certificate is. 251.Pp 252.Fn X509_STORE_CTX_get0_chain 253returns an internal pointer to a complete validate chain 254if a previous call to 255.Xr X509_verify_cert 3 256was successful. 257If the call to 258.Xr X509_verify_cert 3 259was not successful, the returned chain may be incomplete or invalid. 260.Fn X509_STORE_CTX_get_chain 261is a deprecated alias of 262.Fn X509_STORE_CTX_get0_chain . 263.Fn X509_STORE_CTX_get1_chain 264returns a deep copy of the same chain which persists even after the 265.Fa ctx 266structure is freed. 267When it is no longer needed, it should be freed using 268.Fn sk_X509_pop_free chain X509_free . 269.Pp 270.Fn X509_STORE_CTX_set0_verified_chain 271frees the validate chain generated by if a previous call to 272.Xr X509_verify_cert 3 , 273if any, and replaces it with the given 274.Fa chain . 275Ownership of the 276.Fa chain 277is transferred to the 278.Fa ctx , 279so it should not be freed by the caller. 280.Pp 281.Fn X509_verify_cert_error_string 282returns a human readable error string for verification error 283.Fa n . 284.Pp 285The above functions should be used instead of directly referencing the 286fields in the 287.Sy X509_VERIFY_CTX 288structure. 289.Pp 290In versions of OpenSSL before 1.0, the current certificate returned by 291.Fn X509_STORE_CTX_get_current_cert 292was never 293.Dv NULL . 294Applications should check the return value before printing out any 295debugging information relating to the current certificate. 296.Pp 297If an unrecognised error code is passed to 298.Fn X509_verify_cert_error_string , 299the numerical value of the unknown code is returned in a static buffer. 300This is not thread safe but will never happen unless an invalid code is 301passed. 302.Sh RETURN VALUES 303.Fn X509_STORE_CTX_get_error 304returns 305.Dv X509_V_OK 306or an error code. 307.Pp 308.Fn X509_STORE_CTX_get_error_depth 309returns a non-negative error depth. 310.Pp 311.Fn X509_STORE_CTX_get_current_cert , 312.Fn X509_STORE_CTX_get0_current_issuer , 313and 314.Fn X509_STORE_CTX_get0_current_crl 315return the object which caused the error or 316.Dv NULL 317if no object of the requested kind is relevant to the error. 318.Pp 319.Fn X509_STORE_CTX_get0_parent_ctx 320returns the parent context or 321.Dv NULL 322if 323.Fa ctx 324is not a temporary child context 325used for path validation of a CRL issuer certificate. 326.Pp 327.Fn X509_STORE_CTX_get_num_untrusted 328returns the number of untrusted certificates 329that were used in building the chain during a call to 330.Xr X509_verify_cert 3 . 331.Pp 332.Fn X509_STORE_CTX_get0_chain , 333.Fn X509_STORE_CTX_get_chain , 334and 335.Fn X509_STORE_CTX_get1_chain 336return a pointer to a stack of certificates or 337.Dv NULL 338if an error occurs. 339.Pp 340.Fn X509_STORE_CTX_get0_policy_tree 341returns an internal pointer to the 342.Fa valid_policy_tree 343created by 344.Xr X509_policy_check 3 345or 346.Dv NULL 347if validation failed or the resulting tree was empty. 348.Pp 349.Fn X509_STORE_CTX_get_explicit_policy 350returns the 351.Pf * Fa pexplicit_policy 352output argument of 353.Xr X509_policy_check 3 . 354If validation succeeded, it is 1 if 355.Dv X509_V_FLAG_EXPLICIT_POLICY 356was requested or 0 otherwise. 357.Pp 358.Fn X509_verify_cert_error_string 359returns a human readable error string for verification error 360.Fa n . 361.Sh ERROR CODES 362A list of error codes and messages is shown below. 363Some of the error codes are defined but currently never returned: 364these are described as "unused". 365.Bl -tag -width Ds 366.It Dv X509_V_OK : No ok 367The operation was successful. 368.It Dv X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT : \ 369 No unable to get issuer certificate 370The issuer certificate of a locally looked up certificate could not be found. 371This normally means the list of trusted certificates is not complete. 372.It Dv X509_V_ERR_UNABLE_TO_GET_CRL : No unable to get certificate CRL 373The CRL of a certificate could not be found. 374.It Dv X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE : \ 375 No unable to decrypt certificate's signature 376The certificate signature could not be decrypted. 377This means that the actual signature value could not be determined 378rather than it not matching the expected value. 379This is only meaningful for RSA keys. 380.It Dv X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE : \ 381 No unable to decrypt CRL's signature 382The CRL signature could not be decrypted: this means that the actual 383signature value could not be determined rather than it not matching the 384expected value. 385Unused. 386.It Dv X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY : \ 387 No unable to decode issuer public key 388The public key in the certificate 389.Vt SubjectPublicKeyInfo 390could not be read. 391.It Dv X509_V_ERR_CERT_SIGNATURE_FAILURE : No certificate signature failure 392The signature of the certificate is invalid. 393.It Dv X509_V_ERR_CRL_SIGNATURE_FAILURE : No CRL signature failure 394The signature of the CRL is invalid. 395.It Dv X509_V_ERR_CERT_NOT_YET_VALID : No certificate is not yet valid 396The certificate is not yet valid: the notBefore date is after the 397current time. 398.It Dv X509_V_ERR_CERT_HAS_EXPIRED : No certificate has expired 399The certificate has expired: that is the notAfter date is before the 400current time. 401.It Dv X509_V_ERR_CRL_NOT_YET_VALID : No CRL is not yet valid 402The CRL is not yet valid. 403.It Dv X509_V_ERR_CRL_HAS_EXPIRED : No CRL has expired 404The CRL has expired. 405.It Dv X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD : \ 406 No format error in certificate's notBefore field 407The certificate notBefore field contains an invalid time. 408.It Dv X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD : \ 409 No format error in certificate's notAfter field 410The certificate notAfter field contains an invalid time. 411.It Dv X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD : \ 412 No format error in CRL's lastUpdate field 413The CRL lastUpdate field contains an invalid time. 414.It Dv X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD : \ 415 No format error in CRL's nextUpdate field 416The CRL nextUpdate field contains an invalid time. 417.It Dv X509_V_ERR_OUT_OF_MEM : No out of memory 418An error occurred trying to allocate memory. 419This should never happen. 420.It Dv X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT : No self signed certificate 421The passed certificate is self signed and the same certificate cannot be 422found in the list of trusted certificates. 423.It Dv X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN : \ 424 No self signed certificate in certificate chain 425The certificate chain could be built up using the untrusted certificates 426but the root could not be found locally. 427.It Dv X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY : \ 428 No unable to get local issuer certificate 429The issuer certificate could not be found: this occurs if the issuer 430certificate of an untrusted certificate cannot be found. 431.It Dv X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE : \ 432 No unable to verify the first certificate 433No signatures could be verified because the chain contains only one 434certificate and it is not self signed. 435.It Dv X509_V_ERR_CERT_CHAIN_TOO_LONG : No certificate chain too long 436The certificate chain length is greater than the supplied maximum depth. 437Unused. 438.It Dv X509_V_ERR_CERT_REVOKED : No certificate revoked 439The certificate has been revoked. 440.It Dv X509_V_ERR_INVALID_CA : No invalid CA certificate 441A CA certificate is invalid. 442Either it is not a CA or its extensions are not consistent with the 443supplied purpose. 444.It Dv X509_V_ERR_PATH_LENGTH_EXCEEDED : No path length constraint exceeded 445The basicConstraints path-length parameter has been exceeded. 446.It Dv X509_V_ERR_INVALID_PURPOSE : No unsupported certificate purpose 447The supplied certificate cannot be used for the specified purpose. 448.It Dv X509_V_ERR_CERT_UNTRUSTED : No certificate not trusted 449The root CA is not marked as trusted for the specified purpose. 450.It Dv X509_V_ERR_CERT_REJECTED : No certificate rejected 451The root CA is marked to reject the specified purpose. 452.It Dv X509_V_ERR_SUBJECT_ISSUER_MISMATCH : No subject issuer mismatch 453The current candidate issuer certificate was rejected because its 454subject name did not match the issuer name of the current certificate. 455This is only set if issuer check debugging is enabled; it is used for 456status notification and is 457.Sy not 458in itself an error. 459.It Dv X509_V_ERR_AKID_SKID_MISMATCH : \ 460 No authority and subject key identifier mismatch 461The current candidate issuer certificate was rejected because its 462subject key identifier was present and did not match the authority key 463identifier current certificate. 464This is only set if issuer check debugging is enabled; it is used for 465status notification and is 466.Sy not 467in itself an error. 468.It Dv X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH : \ 469 Noauthority and issuer serial number mismatch 470The current candidate issuer certificate was rejected because its issuer 471name and serial number was present and did not match the authority key 472identifier of the current certificate. 473This is only set if issuer check debugging is enabled; it is used for 474status notification and is 475.Sy not 476in itself an error. 477.It Dv X509_V_ERR_KEYUSAGE_NO_CERTSIGN : \ 478 No key usage does not include certificate signing 479The current candidate issuer certificate was rejected because its 480keyUsage extension does not permit certificate signing. 481This is only set if issuer check debugging is enabled it is used for 482status notification and is 483.Sy not 484in itself an error. 485.It Dv X509_V_ERR_INVALID_EXTENSION : \ 486 No invalid or inconsistent certificate extension 487A certificate extension had an invalid value (for example an incorrect 488encoding) or some value inconsistent with other extensions. 489.It Dv X509_V_ERR_INVALID_POLICY_EXTENSION : \ 490 No invalid or inconsistent certificate policy extension 491A certificate policies extension had an invalid value (for example an 492incorrect encoding) or some value inconsistent with other extensions. 493This error only occurs if policy processing is enabled. 494.It Dv X509_V_ERR_NO_EXPLICIT_POLICY : No no explicit policy 495The verification flags were set to require an explicit policy but none 496was present. 497.It Dv X509_V_ERR_DIFFERENT_CRL_SCOPE : No different CRL scope 498The only CRLs that could be found did not match the scope of the 499certificate. 500.It Dv X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE : \ 501 No unsupported extension feature 502Some feature of a certificate extension is not supported. 503Unused. 504.It Dv X509_V_ERR_PERMITTED_VIOLATION : No permitted subtree violation 505A name constraint violation occurred in the permitted subtrees. 506.It Dv X509_V_ERR_EXCLUDED_VIOLATION : No excluded subtree violation 507A name constraint violation occurred in the excluded subtrees. 508.It Dv X509_V_ERR_SUBTREE_MINMAX : \ 509 No name constraints minimum and maximum not supported 510A certificate name constraints extension included a minimum or maximum 511field: this is not supported. 512.It Dv X509_V_ERR_UNNESTED_RESOURCE : \ 513 RFC 3779 resource not subset of parent's resources 514When walking up a certificate chain, all resources specified in 515RFC 3779 extensions must be contained in the resources delegated in 516the issuer's RFC 3779 extensions. 517The error indicates that this is not the case or that the trust anchor 518has inheritance. 519.It Dv X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE : \ 520 No unsupported name constraint type 521An unsupported name constraint type was encountered. 522OpenSSL currently only supports directory name, DNS name, email and URI 523types. 524.It Dv X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX : \ 525 No unsupported or invalid name constraint syntax 526The format of the name constraint is not recognised: for example an 527email address format of a form not mentioned in RFC 3280. 528This could be caused by a garbage extension or some new feature not 529currently supported. 530.It Dv X509_V_ERR_CRL_PATH_VALIDATION_ERROR : No CRL path validation error 531An error occurred when attempting to verify the CRL path. 532This error can only happen if extended CRL checking is enabled. 533.It Dv X509_V_ERR_APPLICATION_VERIFICATION : \ 534 No application verification failure 535An application specific error. 536This will never be returned unless explicitly set by an application. 537.El 538.Sh SEE ALSO 539.Xr X509_policy_check 3 , 540.Xr X509_policy_tree_level_count 3 , 541.Xr X509_STORE_CTX_new 3 , 542.Xr X509_STORE_CTX_set_verify 3 , 543.Xr X509_STORE_CTX_set_verify_cb 3 , 544.Xr X509_STORE_set_verify_cb 3 , 545.Xr X509_up_ref 3 , 546.Xr X509_verify_cert 3 547.Sh HISTORY 548.Fn X509_STORE_CTX_get_error , 549.Fn X509_STORE_CTX_set_error , 550.Fn X509_STORE_CTX_get_error_depth , 551.Fn X509_STORE_CTX_get_current_cert , 552.Fn X509_STORE_CTX_get_chain , 553and 554.Fn X509_verify_cert_error_string 555first appeared in SSLeay 0.8.0 and have been available since 556.Ox 2.4 . 557.Pp 558.Fn X509_STORE_CTX_get1_chain 559first appeared in OpenSSL 0.9.5 and has been available since 560.Ox 2.7 . 561.Pp 562.Fn X509_STORE_CTX_get0_policy_tree 563and 564.Fn X509_STORE_CTX_get_explicit_policy 565first appeared in OpenSSL 0.9.8 and have been available since 566.Ox 4.5 . 567.Pp 568.Fn X509_STORE_CTX_get0_current_issuer , 569.Fn X509_STORE_CTX_get0_current_crl , 570and 571.Fn X509_STORE_CTX_get0_parent_ctx 572first appeared in OpenSSL 1.0.0 and have been available since 573.Ox 4.9 . 574.Pp 575.Fn X509_STORE_CTX_get0_chain 576first appeared in OpenSSL 1.1.0 and has been available since 577.Ox 6.3 . 578.Pp 579.Fn X509_STORE_CTX_set_error_depth , 580.Fn X509_STORE_CTX_set_current_cert , 581.Fn X509_STORE_CTX_get_num_untrusted , 582and 583.Fn X509_STORE_CTX_set0_verified_chain 584first appeared in OpenSSL 1.1.0 and have been available since 585.Ox 7.1 . 586