NAME¶

X509_STORE_CTX_verify_fn, X509_STORE_CTX_set_verify, X509_STORE_CTX_get_verify, X509_STORE_set_verify, X509_STORE_set_verify_func, X509_STORE_get_verify, X509_STORE_CTX_check_issued_fn, X509_STORE_set_check_issued, X509_STORE_get_check_issued, X509_STORE_CTX_get_check_issued — user-defined certificate chain verification function

SYNOPSIS¶

#include <openssl/x509_vfy.h>

typedef int
(*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *ctx);

void
X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);

X509_STORE_CTX_verify_fn
X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx);

void
X509_STORE_set_verify(X509_STORE *store, X509_STORE_CTX_verify_fn verify);

void
X509_STORE_set_verify_func(X509_STORE *store, X509_STORE_CTX_verify_fn verify);

X509_STORE_CTX_verify_fn
X509_STORE_get_verify(X509_STORE_CTX *ctx);

typedef int
(*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer);

void
X509_STORE_set_check_issued(X509_STORE *store, X509_STORE_CTX_check_issued_fn check_issued);

X509_STORE_CTX_check_issued_fn
X509_STORE_get_check_issued(X509_STORE *store);

X509_STORE_CTX_check_issued_fn
X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);

DESCRIPTION¶

X509_STORE_CTX_set_verify() configures ctx to use the verify argument as the X.509 certificate chain verification function instead of the default verification function built into the library when X509_verify_cert(3) is called.

The verify function provided by the user is only called if the X509_V_FLAG_LEGACY_VERIFY or X509_V_FLAG_NO_ALT_CHAINS flag was set on ctx using X509_STORE_CTX_set_flags(3) or X509_VERIFY_PARAM_set_flags(3). Otherwise, it is ignored and a different algorithm is used that does not support replacing the verification function.

X509_STORE_set_verify() saves the function pointer verify in the given store object. That pointer will be copied to an X509_STORE_CTX object when store is later passed as an argument to X509_STORE_CTX_init(3).

X509_STORE_set_verify_func() is an alias for X509_STORE_set_verify() implemented as a macro.

X509_STORE_set_check_issued() saves the function pointer check_issued in the given store object. That pointer will be copied to an X509_STORE_CTX object when store is later passed as an argument to X509_STORE_CTX_init(3).

The check_issued function provided by the user should check whether a given certificate subject was issued using the CA certificate issuer, and must return 0 on failure and 1 on success. The default implementation ignores the ctx argument and returns success if and only if X509_check_issued(3) returns X509_V_OK. It is important to pay close attention to the order of the issuer and subject arguments. In X509_check_issued(3) the issuer precedes the subject while in check_issued() the subject comes first.

RETURN VALUES¶

X509_STORE_CTX_verify_fn() is supposed to return 1 to indicate that the chain is valid or 0 if it is not or if an error occurred.

X509_STORE_CTX_get_verify() returns a function pointer previously set with X509_STORE_CTX_set_verify() or X509_STORE_CTX_init(3), or NULL if ctx is uninitialized.

X509_STORE_get_verify() returns the function pointer previously set with X509_STORE_set_verify(), or NULL if that function was not called on the store.

X509_STORE_get_check_issued() returns the function pointer previously set with X509_STORE_set_check_issued(), or NULL if that function was not called on the store.

X509_STORE_CTX_get_check_issued() returns the check_issued() function pointer set on the X509_STORE_CTX. This is either the check_issued() function inherited from the store used in X509_STORE_CTX_init(3) or the library's default implementation.

SEE ALSO¶

X509_check_issued(3), X509_STORE_CTX_init(3), X509_STORE_CTX_set_error(3), X509_STORE_CTX_set_flags(3), X509_STORE_CTX_set_verify_cb(3), X509_STORE_new(3), X509_STORE_set_flags(3), X509_STORE_set_verify_cb(3), X509_verify_cert(3), X509_VERIFY_PARAM_set_flags(3)

HISTORY¶

X509_STORE_set_verify_func() first appeared in SSLeay 0.8.0 and has been available since OpenBSD 2.4.

X509_STORE_CTX_set_verify() and X509_STORE_CTX_get_verify() first appeared in OpenSSL 1.1.0 and have been available since OpenBSD 7.1.

X509_STORE_CTX_verify_fn(), X509_STORE_set_verify(), and X509_STORE_get_verify() first appeared in OpenSSL 1.1.0 and have been available since OpenBSD 7.2.

X509_STORE_set_check_issued(), X509_STORE_get_check_issued(), and X509_STORE_CTX_get_check_issued() first appeared in OpenSSL 1.1.0 and have been available since OpenBSD 7.3.

BUGS¶

The reversal of order of subject and issuer between check_issued() and X509_check_issued(3) is very confusing. It has led to bugs and will cause many more.