1=pod 2 3=head1 NAME 4 5X509_STORE_set_lookup_crls_cb, 6X509_STORE_set_verify_func, 7X509_STORE_get_cleanup, 8X509_STORE_set_cleanup, 9X509_STORE_get_lookup_crls, 10X509_STORE_set_lookup_crls, 11X509_STORE_get_lookup_certs, 12X509_STORE_set_lookup_certs, 13X509_STORE_get_check_policy, 14X509_STORE_set_check_policy, 15X509_STORE_get_cert_crl, 16X509_STORE_set_cert_crl, 17X509_STORE_get_check_crl, 18X509_STORE_set_check_crl, 19X509_STORE_get_get_crl, 20X509_STORE_set_get_crl, 21X509_STORE_get_check_revocation, 22X509_STORE_set_check_revocation, 23X509_STORE_get_check_issued, 24X509_STORE_set_check_issued, 25X509_STORE_CTX_get1_issuer, 26X509_STORE_get_get_issuer, 27X509_STORE_set_get_issuer, 28X509_STORE_CTX_get_verify, 29X509_STORE_set_verify, 30X509_STORE_get_verify_cb, 31X509_STORE_set_verify_cb_func, X509_STORE_set_verify_cb, 32X509_STORE_CTX_cert_crl_fn, X509_STORE_CTX_check_crl_fn, 33X509_STORE_CTX_check_issued_fn, X509_STORE_CTX_check_policy_fn, 34X509_STORE_CTX_check_revocation_fn, X509_STORE_CTX_cleanup_fn, 35X509_STORE_CTX_get_crl_fn, X509_STORE_CTX_get_issuer_fn, 36X509_STORE_CTX_lookup_certs_fn, X509_STORE_CTX_lookup_crls_fn 37- set verification callback 38 39=head1 SYNOPSIS 40 41 #include <openssl/x509_vfy.h> 42 43 typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer, 44 X509_STORE_CTX *ctx, X509 *x); 45 typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, 46 X509 *x, X509 *issuer); 47 typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); 48 typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, 49 X509_CRL **crl, X509 *x); 50 typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl); 51 typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx, 52 X509_CRL *crl, X509 *x); 53 typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx); 54 typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx, 55 const X509_NAME *nm); 56 typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)(const 57 X509_STORE_CTX *ctx, 58 const X509_NAME *nm); 59 typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); 60 61 void X509_STORE_set_verify_cb(X509_STORE *ctx, 62 X509_STORE_CTX_verify_cb verify_cb); 63 X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE_CTX *ctx); 64 65 void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify); 66 X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx); 67 68 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); 69 X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE_CTX *ctx); 70 void X509_STORE_set_get_issuer(X509_STORE *ctx, 71 X509_STORE_CTX_get_issuer_fn get_issuer); 72 73 void X509_STORE_set_check_issued(X509_STORE *ctx, 74 X509_STORE_CTX_check_issued_fn check_issued); 75 X509_STORE_CTX_check_issued_fn 76 X509_STORE_get_check_issued(const X509_STORE_CTX *ctx); 77 78 void X509_STORE_set_check_revocation(X509_STORE *ctx, 79 X509_STORE_CTX_check_revocation_fn check_revocation); 80 X509_STORE_CTX_check_revocation_fn 81 X509_STORE_get_check_revocation(const X509_STORE_CTX *ctx); 82 83 void X509_STORE_set_get_crl(X509_STORE *ctx, 84 X509_STORE_CTX_get_crl_fn get_crl); 85 X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE_CTX *ctx); 86 87 void X509_STORE_set_check_crl(X509_STORE *ctx, 88 X509_STORE_CTX_check_crl_fn check_crl); 89 X509_STORE_CTX_check_crl_fn 90 X509_STORE_get_check_crl(const X509_STORE_CTX *ctx); 91 92 void X509_STORE_set_cert_crl(X509_STORE *ctx, 93 X509_STORE_CTX_cert_crl_fn cert_crl); 94 X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE_CTX *ctx); 95 96 void X509_STORE_set_check_policy(X509_STORE *ctx, 97 X509_STORE_CTX_check_policy_fn check_policy); 98 X509_STORE_CTX_check_policy_fn 99 X509_STORE_get_check_policy(const X509_STORE_CTX *ctx); 100 101 void X509_STORE_set_lookup_certs(X509_STORE *ctx, 102 X509_STORE_CTX_lookup_certs_fn lookup_certs); 103 X509_STORE_CTX_lookup_certs_fn 104 X509_STORE_get_lookup_certs(const X509_STORE_CTX *ctx); 105 106 void X509_STORE_set_lookup_crls(X509_STORE *ctx, 107 X509_STORE_CTX_lookup_crls_fn lookup_crls); 108 X509_STORE_CTX_lookup_crls_fn 109 X509_STORE_get_lookup_crls(const X509_STORE_CTX *ctx); 110 111 void X509_STORE_set_cleanup(X509_STORE *ctx, 112 X509_STORE_CTX_cleanup_fn cleanup); 113 X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE_CTX *ctx); 114 115 /* Aliases */ 116 void X509_STORE_set_verify_cb_func(X509_STORE *st, 117 X509_STORE_CTX_verify_cb verify_cb); 118 void X509_STORE_set_verify_func(X509_STORE *ctx, 119 X509_STORE_CTX_verify_fn verify); 120 void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx, 121 X509_STORE_CTX_lookup_crls_fn lookup_crls); 122 123=head1 DESCRIPTION 124 125X509_STORE_set_verify_cb() sets the verification callback of I<ctx> to 126I<verify_cb> overwriting the previous callback. 127The callback assigned with this function becomes a default for the one 128that can be assigned directly to the corresponding B<X509_STORE_CTX>, 129please see L<X509_STORE_CTX_set_verify_cb(3)> for further information. 130 131X509_STORE_set_verify() sets the final chain verification function for 132I<ctx> to I<verify>. 133Its purpose is to go through the chain of certificates and check that 134all signatures are valid and that the current time is within the 135limits of each certificate's first and last validity time. 136The final chain verification functions must return 0 on failure and 1 137on success. 138I<If no chain verification function is provided, the internal default 139function will be used instead.> 140 141X509_STORE_CTX_get1_issuer() tries to find a certificate from the I<store> 142component of I<ctx> with a subject name matching the issuer name of I<x>. 143On success it assigns to I<*issuer> the first match that is currently valid, 144or at least the most recently expired match if there is no currently valid one. 145If the function returns 1 the caller is responsible for freeing I<*issuer>. 146 147X509_STORE_set_get_issuer() sets the function I<get_issuer> 148to get the "best" candidate issuer certificate of the given certificate I<x>. 149When such a certificate is found, I<get_issuer> must up-ref and assign it 150to I<*issuer> and then return 1. 151Otherwise I<get_issuer> must return 0 if not found and -1 (or 0) on failure. 152If X509_STORE_set_get_issuer() is not used or I<get_issuer> is NULL 153then X509_STORE_CTX_get1_issuer() is used as the default implementation. 154 155X509_STORE_set_check_issued() sets the function to check that a given 156certificate I<x> is issued by the issuer certificate I<issuer>. 157This function must return 0 on failure (among others if I<x> hasn't 158been issued with I<issuer>) and 1 on success. 159I<If no function to get the issuer is provided, the internal default 160function will be used instead.> 161 162X509_STORE_set_check_revocation() sets the revocation checking 163function. 164Its purpose is to look through the final chain and check the 165revocation status for each certificate. 166It must return 0 on failure and 1 on success. 167I<If no function to get the issuer is provided, the internal default 168function will be used instead.> 169 170X509_STORE_set_get_crl() sets the function to get the crl for a given 171certificate I<x>. 172When found, the crl must be assigned to I<*crl>. 173This function must return 0 on failure and 1 on success. 174I<If no function to get the issuer is provided, the internal default 175function will be used instead.> 176 177X509_STORE_set_check_crl() sets the function to check the validity of 178the given I<crl>. 179This function must return 0 on failure and 1 on success. 180I<If no function to get the issuer is provided, the internal default 181function will be used instead.> 182 183X509_STORE_set_cert_crl() sets the function to check the revocation 184status of the given certificate I<x> against the given I<crl>. 185This function must return 0 on failure and 1 on success. 186I<If no function to get the issuer is provided, the internal default 187function will be used instead.> 188 189X509_STORE_set_check_policy() sets the function to check the policies 190of all the certificates in the final chain.. 191This function must return 0 on failure and 1 on success. 192I<If no function to get the issuer is provided, the internal default 193function will be used instead.> 194 195X509_STORE_set_lookup_certs() and X509_STORE_set_lookup_crls() set the 196functions to look up all the certs or all the CRLs that match the 197given name I<nm>. 198These functions return NULL on failure and a pointer to a stack of 199certificates (B<X509>) or to a stack of CRLs (B<X509_CRL>) on 200success. 201I<If no function to get the issuer is provided, the internal default 202function will be used instead.> 203 204X509_STORE_set_cleanup() sets the final cleanup function, which is 205called when the context (B<X509_STORE_CTX>) is being torn down. 206This function doesn't return any value. 207I<If no function to get the issuer is provided, the internal default 208function will be used instead.> 209 210X509_STORE_get_verify_cb(), X509_STORE_CTX_get_verify(), 211X509_STORE_get_get_issuer(), X509_STORE_get_check_issued(), 212X509_STORE_get_check_revocation(), X509_STORE_get_get_crl(), 213X509_STORE_get_check_crl(), X509_STORE_set_verify(), 214X509_STORE_set_get_issuer(), X509_STORE_get_cert_crl(), 215X509_STORE_get_check_policy(), X509_STORE_get_lookup_certs(), 216X509_STORE_get_lookup_crls() and X509_STORE_get_cleanup() all return 217the function pointer assigned with X509_STORE_set_check_issued(), 218X509_STORE_set_check_revocation(), X509_STORE_set_get_crl(), 219X509_STORE_set_check_crl(), X509_STORE_set_cert_crl(), 220X509_STORE_set_check_policy(), X509_STORE_set_lookup_certs(), 221X509_STORE_set_lookup_crls() and X509_STORE_set_cleanup(), or NULL if 222no assignment has been made. 223 224X509_STORE_set_verify_cb_func(), X509_STORE_set_verify_func() and 225X509_STORE_set_lookup_crls_cb() are aliases for 226X509_STORE_set_verify_cb(), X509_STORE_set_verify() and 227X509_STORE_set_lookup_crls, available as macros for backward 228compatibility. 229 230=head1 NOTES 231 232All the callbacks from a B<X509_STORE> are inherited by the 233corresponding B<X509_STORE_CTX> structure when it is initialized. 234See L<X509_STORE_CTX_set_verify_cb(3)> for further details. 235 236=head1 BUGS 237 238The macro version of this function was the only one available before 239OpenSSL 1.0.0. 240 241=head1 RETURN VALUES 242 243The X509_STORE_set_*() functions do not return a value. 244 245The X509_STORE_get_*() functions return a pointer of the appropriate 246function type. 247 248X509_STORE_CTX_get1_issuer() returns 2491 if a suitable certificate is found, 0 if not found, -1 on other error. 250 251=head1 SEE ALSO 252 253L<X509_STORE_CTX_set_verify_cb(3)>, L<X509_STORE_CTX_get0_chain(3)>, 254L<X509_STORE_CTX_verify_cb(3)>, L<X509_STORE_CTX_verify_fn(3)>, 255L<CMS_verify(3)> 256 257=head1 HISTORY 258 259The X509_STORE_set_verify_cb() function was added in OpenSSL 1.0.0. 260 261The functions 262X509_STORE_set_verify_cb(), X509_STORE_get_verify_cb(), 263X509_STORE_set_verify(), X509_STORE_CTX_get_verify(), 264X509_STORE_set_get_issuer(), X509_STORE_get_get_issuer(), 265X509_STORE_set_check_issued(), X509_STORE_get_check_issued(), 266X509_STORE_set_check_revocation(), X509_STORE_get_check_revocation(), 267X509_STORE_set_get_crl(), X509_STORE_get_get_crl(), 268X509_STORE_set_check_crl(), X509_STORE_get_check_crl(), 269X509_STORE_set_cert_crl(), X509_STORE_get_cert_crl(), 270X509_STORE_set_check_policy(), X509_STORE_get_check_policy(), 271X509_STORE_set_lookup_certs(), X509_STORE_get_lookup_certs(), 272X509_STORE_set_lookup_crls(), X509_STORE_get_lookup_crls(), 273X509_STORE_set_cleanup() and X509_STORE_get_cleanup() 274were added in OpenSSL 1.1.0. 275 276=head1 COPYRIGHT 277 278Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. 279 280Licensed under the Apache License 2.0 (the "License"). You may not use 281this file except in compliance with the License. You can obtain a copy 282in the file LICENSE in the source distribution or at 283L<https://www.openssl.org/source/license.html>. 284 285=cut 286