123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222 |
- =pod
- =head1 NAME
- X509_STORE_CTX_get_cleanup,
- X509_STORE_CTX_get_lookup_crls,
- X509_STORE_CTX_get_lookup_certs,
- X509_STORE_CTX_get_check_policy,
- X509_STORE_CTX_get_cert_crl,
- X509_STORE_CTX_get_check_crl,
- X509_STORE_CTX_get_get_crl,
- X509_STORE_CTX_get_check_revocation,
- X509_STORE_CTX_get_check_issued,
- X509_STORE_CTX_get_get_issuer,
- X509_STORE_CTX_get_verify_cb,
- X509_STORE_CTX_set_verify_cb,
- X509_STORE_CTX_verify_cb,
- X509_STORE_CTX_print_verify_cb
- - get and set X509_STORE_CTX components such as verification callback
- =head1 SYNOPSIS
- #include <openssl/x509_vfy.h>
- typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
- int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx);
- X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx);
- void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
- X509_STORE_CTX_verify_cb verify_cb);
- X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx);
- X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);
- X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx);
- X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx);
- X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx);
- X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx);
- X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx);
- X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx);
- X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx);
- X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx);
- =head1 DESCRIPTION
- X509_STORE_CTX_set_verify_cb() sets the verification callback of B<ctx> to
- B<verify_cb> overwriting any existing callback.
- The verification callback can be used to customise the operation of certificate
- verification, either by overriding error conditions or logging errors for
- debugging purposes.
- However, a verification callback is B<not> essential and the default operation
- is often sufficient.
- The B<ok> parameter to the callback indicates the value the callback should
- return to retain the default behaviour. If it is zero then an error condition
- is indicated. If it is 1 then no error occurred. If the flag
- B<X509_V_FLAG_NOTIFY_POLICY> is set then B<ok> is set to 2 to indicate the
- policy checking is complete.
- The B<ctx> parameter to the callback is the B<X509_STORE_CTX> structure that
- is performing the verification operation. A callback can examine this
- structure and receive additional information about the error, for example
- by calling X509_STORE_CTX_get_current_cert(). Additional application data can
- be passed to the callback via the B<ex_data> mechanism.
- X509_STORE_CTX_print_verify_cb() is a verification callback function that,
- when a certificate verification has failed, adds an entry to the error queue
- with code B<X509_R_CERTIFICATE_VERIFICATION_FAILED> and with diagnostic details,
- including the most relevant fields of the target certificate that failed to
- verify and, if appropriate, of the available untrusted and trusted certificates.
- X509_STORE_CTX_get_verify_cb() returns the value of the current callback
- for the specific B<ctx>.
- X509_STORE_CTX_get_get_issuer(),
- X509_STORE_CTX_get_check_issued(), X509_STORE_CTX_get_check_revocation(),
- X509_STORE_CTX_get_get_crl(), X509_STORE_CTX_get_check_crl(),
- X509_STORE_CTX_get_cert_crl(), X509_STORE_CTX_get_check_policy(),
- X509_STORE_CTX_get_lookup_certs(), X509_STORE_CTX_get_lookup_crls()
- and X509_STORE_CTX_get_cleanup() return the function pointers cached
- from the corresponding B<X509_STORE>, please see
- L<X509_STORE_set_verify(3)> for more information.
- =head1 WARNINGS
- In general a verification callback should B<NOT> unconditionally return 1 in
- all circumstances because this will allow verification to succeed no matter
- what the error. This effectively removes all security from the application
- because B<any> certificate (including untrusted generated ones) will be
- accepted.
- =head1 NOTES
- The verification callback can be set and inherited from the parent structure
- performing the operation. In some cases (such as S/MIME verification) the
- B<X509_STORE_CTX> structure is created and destroyed internally and the
- only way to set a custom verification callback is by inheriting it from the
- associated B<X509_STORE>.
- =head1 RETURN VALUES
- X509_STORE_CTX_set_verify_cb() does not return a value.
- =head1 EXAMPLES
- Default callback operation:
- int verify_callback(int ok, X509_STORE_CTX *ctx) {
- return ok;
- }
- Simple example, suppose a certificate in the chain is expired and we wish
- to continue after this error:
- int verify_callback(int ok, X509_STORE_CTX *ctx) {
- /* Tolerate certificate expiration */
- if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
- return 1;
- /* Otherwise don't override */
- return ok;
- }
- More complex example, we don't wish to continue after B<any> certificate has
- expired just one specific case:
- int verify_callback(int ok, X509_STORE_CTX *ctx)
- {
- int err = X509_STORE_CTX_get_error(ctx);
- X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
- if (err == X509_V_ERR_CERT_HAS_EXPIRED) {
- if (check_is_acceptable_expired_cert(err_cert)
- return 1;
- }
- return ok;
- }
- Full featured logging callback. In this case the B<bio_err> is assumed to be
- a global logging B<BIO>, an alternative would to store a BIO in B<ctx> using
- B<ex_data>.
- int verify_callback(int ok, X509_STORE_CTX *ctx)
- {
- X509 *err_cert;
- int err, depth;
- err_cert = X509_STORE_CTX_get_current_cert(ctx);
- err = X509_STORE_CTX_get_error(ctx);
- depth = X509_STORE_CTX_get_error_depth(ctx);
- BIO_printf(bio_err, "depth=%d ", depth);
- if (err_cert) {
- X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
- 0, XN_FLAG_ONELINE);
- BIO_puts(bio_err, "\n");
- }
- else
- BIO_puts(bio_err, "<no cert>\n");
- if (!ok)
- BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
- X509_verify_cert_error_string(err));
- switch (err) {
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- BIO_puts(bio_err, "issuer= ");
- X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
- 0, XN_FLAG_ONELINE);
- BIO_puts(bio_err, "\n");
- break;
- case X509_V_ERR_CERT_NOT_YET_VALID:
- case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
- BIO_printf(bio_err, "notBefore=");
- ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
- BIO_printf(bio_err, "\n");
- break;
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
- BIO_printf(bio_err, "notAfter=");
- ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
- BIO_printf(bio_err, "\n");
- break;
- case X509_V_ERR_NO_EXPLICIT_POLICY:
- policies_print(bio_err, ctx);
- break;
- }
- if (err == X509_V_OK && ok == 2)
- /* print out policies */
- BIO_printf(bio_err, "verify return:%d\n", ok);
- return(ok);
- }
- =head1 SEE ALSO
- L<X509_STORE_CTX_get_error(3)>
- L<X509_STORE_set_verify_cb_func(3)>
- L<X509_STORE_CTX_get_ex_new_index(3)>
- =head1 HISTORY
- The
- X509_STORE_CTX_get_get_issuer(),
- X509_STORE_CTX_get_check_issued(), X509_STORE_CTX_get_check_revocation(),
- X509_STORE_CTX_get_get_crl(), X509_STORE_CTX_get_check_crl(),
- X509_STORE_CTX_get_cert_crl(), X509_STORE_CTX_get_check_policy(),
- X509_STORE_CTX_get_lookup_certs(), X509_STORE_CTX_get_lookup_crls()
- and X509_STORE_CTX_get_cleanup() functions were added in OpenSSL 1.1.0.
- X509_STORE_CTX_print_verify_cb() was added in OpenSSL 3.0.
- =head1 COPYRIGHT
- Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
- Licensed under the Apache License 2.0 (the "License"). You may not use
- this file except in compliance with the License. You can obtain a copy
- in the file LICENSE in the source distribution or at
- L<https://www.openssl.org/source/license.html>.
- =cut
|