OWEALs
/
openssl
镜像来自 git://git.openssl.org/openssl.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161
							=pod

=head1 NAME

X509_STORE_CTX_set_verify_cb - set verification callback

=head1 SYNOPSIS

 #include <openssl/x509_vfy.h>

 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
				int (*verify_cb)(int ok, X509_STORE_CTX *ctx));

=head1 DESCRIPTION

X509_STORE_CTX_set_verify_cb() sets the verification callback of B<ctx> to
B<verify_cb> overwriting any existing callback.

The verification callback can be used to customise the operation of certificate
verification, either by overriding error conditions or logging errors for
debugging purposes.

However a verification callback is B<not> essential and the default operation
is often sufficient.

The B<ok> parameter to the callback indicates the value the callback should
return to retain the default behaviour. If it is zero then and error condition
is indicated. If it is 1 then no error occurred. If the flag
B<X509_V_FLAG_NOTIFY_POLICY> is set then B<ok> is set to 2 to indicate the
policy checking is complete.

The B<ctx> parameter to the callback is the B<X509_STORE_CTX> structure that
is performing the verification operation. A callback can examine this
structure and receive additional information about the error, for example
by calling X509_STORE_CTX_get_current_cert(). Additional application data can
be passed to the callback via the B<ex_data> mechanism.

=head1 WARNING

In general a verification callback should B<NOT> unconditionally return 1 in
all circumstances because this will allow verification to succeed no matter
what the error. This effectively removes all security from the application
because B<any> certificate (including untrusted generated ones) will be
accepted.

=head1 NOTES

The verification callback can be set and inherited from the parent structure
performing the operation. In some cases (such as S/MIME verification) the
B<X509_STORE_CTX> structure is created and destroyed internally and the
only way to set a custom verification callback is by inheriting it from the
associated B<X509_STORE>.

=head1 RETURN VALUES

X509_STORE_CTX_set_verify_cb() does not return a value.

=head1 EXAMPLES

Default callback operation:

 int verify_callback(int ok, X509_STORE_CTX *ctx)
	{
	return ok;
	}

Simple example, suppose a certificate in the chain is expired and we wish
to continue after this error:

 int verify_callback(int ok, X509_STORE_CTX *ctx)
	{
	/* Tolerate certificate expiration */
	if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
			return 1;
	/* Otherwise don't override */
	return ok;
	}

More complex example, we don't wish to continue after B<any> certificate has
expired just one specific case:

 int verify_callback(int ok, X509_STORE_CTX *ctx)
	{
	int err = X509_STORE_CTX_get_error(ctx);
	X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
	if (err == X509_V_ERR_CERT_HAS_EXPIRED)
		{
		if (check_is_acceptable_expired_cert(err_cert)
			return 1;
		}
	return ok;
	}

Full featured logging callback. In this case the B<bio_err> is assumed to be
a global logging B<BIO>, an alternative would to store a BIO in B<ctx> using
B<ex_data>.
	
 int verify_callback(int ok, X509_STORE_CTX *ctx)
	{
	X509 *err_cert;
	int err,depth;

	err_cert = X509_STORE_CTX_get_current_cert(ctx);
	err =	X509_STORE_CTX_get_error(ctx);
	depth =	X509_STORE_CTX_get_error_depth(ctx);

	BIO_printf(bio_err,"depth=%d ",depth);
	if (err_cert)
		{
		X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
					0, XN_FLAG_ONELINE);
		BIO_puts(bio_err, "\n");
		}
	else
		BIO_puts(bio_err, "<no cert>\n");
	if (!ok)
		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
			X509_verify_cert_error_string(err));
	switch (err)
		{
	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
		BIO_puts(bio_err,"issuer= ");
		X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
					0, XN_FLAG_ONELINE);
		BIO_puts(bio_err, "\n");
		break;
	case X509_V_ERR_CERT_NOT_YET_VALID:
	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
		BIO_printf(bio_err,"notBefore=");
		ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert));
		BIO_printf(bio_err,"\n");
		break;
	case X509_V_ERR_CERT_HAS_EXPIRED:
	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
		BIO_printf(bio_err,"notAfter=");
		ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert));
		BIO_printf(bio_err,"\n");
		break;
	case X509_V_ERR_NO_EXPLICIT_POLICY:
		policies_print(bio_err, ctx);
		break;
		}
	if (err == X509_V_OK && ok == 2)
		/* print out policies */

	BIO_printf(bio_err,"verify return:%d\n",ok);
	return(ok);
	}

=head1 SEE ALSO

L<X509_STORE_CTX_get_error(3)|X509_STORE_CTX_get_error(3)>
L<X509_STORE_set_verify_cb_func(3)|X509_STORE_set_verify_cb_func(3)>
L<X509_STORE_CTX_get_ex_new_index(3)|X509_STORE_CTX_get_ex_new_index(3)>

=head1 HISTORY

X509_STORE_CTX_set_verify_cb() is available in all versions of SSLeay and
OpenSSL.

=cut