1=pod 2 3=head1 NAME 4 5X509_STORE_CTX_get_cleanup, 6X509_STORE_CTX_get_lookup_crls, 7X509_STORE_CTX_get_lookup_certs, 8X509_STORE_CTX_get_check_policy, 9X509_STORE_CTX_get_cert_crl, 10X509_STORE_CTX_get_check_crl, 11X509_STORE_CTX_get_get_crl, 12X509_STORE_CTX_get_check_revocation, 13X509_STORE_CTX_get_check_issued, 14X509_STORE_CTX_get_get_issuer, 15X509_STORE_CTX_get_verify_cb, 16X509_STORE_CTX_set_verify_cb, 17X509_STORE_CTX_verify_cb, 18X509_STORE_CTX_print_verify_cb 19- get and set X509_STORE_CTX components such as verification callback 20 21=head1 SYNOPSIS 22 23 #include <openssl/x509_vfy.h> 24 25 typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); 26 int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx); 27 28 X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx); 29 30 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 31 X509_STORE_CTX_verify_cb verify_cb); 32 33 X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx); 34 X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx); 35 X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx); 36 X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx); 37 X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx); 38 X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx); 39 X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx); 40 X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx); 41 X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx); 42 X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx); 43 44=head1 DESCRIPTION 45 46X509_STORE_CTX_set_verify_cb() sets the verification callback of B<ctx> to 47B<verify_cb> overwriting any existing callback. 48 49The verification callback can be used to customise the operation of certificate 50verification, for instance by overriding error conditions or logging errors for 51debugging purposes. 52 53However, a verification callback is B<not> essential and the default operation 54is often sufficient. 55 56The B<ok> parameter to the callback indicates the value the callback should 57return to retain the default behaviour. If it is zero then an error condition 58is indicated. If it is 1 then no error occurred. If the flag 59B<X509_V_FLAG_NOTIFY_POLICY> is set then B<ok> is set to 2 to indicate the 60policy checking is complete. 61 62The B<ctx> parameter to the callback is the B<X509_STORE_CTX> structure that 63is performing the verification operation. A callback can examine this 64structure and receive additional information about the error, for example 65by calling X509_STORE_CTX_get_current_cert(). Additional application data can 66be passed to the callback via the B<ex_data> mechanism. 67 68X509_STORE_CTX_print_verify_cb() is a verification callback function that, 69when a certificate verification has failed, adds an entry to the error queue 70with code B<X509_R_CERTIFICATE_VERIFICATION_FAILED> and with diagnostic details, 71including the most relevant fields of the target certificate that failed to 72verify and, if appropriate, of the available untrusted and trusted certificates. 73 74X509_STORE_CTX_get_verify_cb() returns the value of the current callback 75for the specific B<ctx>. 76 77X509_STORE_CTX_get_get_issuer(), 78X509_STORE_CTX_get_check_issued(), X509_STORE_CTX_get_check_revocation(), 79X509_STORE_CTX_get_get_crl(), X509_STORE_CTX_get_check_crl(), 80X509_STORE_CTX_get_cert_crl(), X509_STORE_CTX_get_check_policy(), 81X509_STORE_CTX_get_lookup_certs(), X509_STORE_CTX_get_lookup_crls() 82and X509_STORE_CTX_get_cleanup() return the function pointers cached 83from the corresponding B<X509_STORE>, please see 84L<X509_STORE_set_verify(3)> for more information. 85 86 87=head1 WARNINGS 88 89In general a verification callback should B<NOT> unconditionally return 1 in 90all circumstances because this will allow verification to succeed no matter 91what the error. This effectively removes all security from the application 92because B<any> certificate (including untrusted generated ones) will be 93accepted. 94 95=head1 NOTES 96 97The verification callback can be set and inherited from the parent structure 98performing the operation. In some cases (such as S/MIME verification) the 99B<X509_STORE_CTX> structure is created and destroyed internally and the 100only way to set a custom verification callback is by inheriting it from the 101associated B<X509_STORE>. 102 103=head1 RETURN VALUES 104 105X509_STORE_CTX_set_verify_cb() does not return a value. 106 107=head1 EXAMPLES 108 109Default callback operation: 110 111 int verify_callback(int ok, X509_STORE_CTX *ctx) { 112 return ok; 113 } 114 115Simple example, suppose a certificate in the chain is expired and we wish 116to continue after this error: 117 118 int verify_callback(int ok, X509_STORE_CTX *ctx) { 119 /* Tolerate certificate expiration */ 120 if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) 121 return 1; 122 /* Otherwise don't override */ 123 return ok; 124 } 125 126More complex example, we don't wish to continue after B<any> certificate has 127expired just one specific case: 128 129 int verify_callback(int ok, X509_STORE_CTX *ctx) 130 { 131 int err = X509_STORE_CTX_get_error(ctx); 132 X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); 133 134 if (err == X509_V_ERR_CERT_HAS_EXPIRED) { 135 if (check_is_acceptable_expired_cert(err_cert) 136 return 1; 137 } 138 return ok; 139 } 140 141Full featured logging callback. In this case the B<bio_err> is assumed to be 142a global logging B<BIO>, an alternative would to store a BIO in B<ctx> using 143B<ex_data>. 144 145 int verify_callback(int ok, X509_STORE_CTX *ctx) 146 { 147 X509 *err_cert; 148 int err, depth; 149 150 err_cert = X509_STORE_CTX_get_current_cert(ctx); 151 err = X509_STORE_CTX_get_error(ctx); 152 depth = X509_STORE_CTX_get_error_depth(ctx); 153 154 BIO_printf(bio_err, "depth=%d ", depth); 155 if (err_cert) { 156 X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), 157 0, XN_FLAG_ONELINE); 158 BIO_puts(bio_err, "\n"); 159 } 160 else 161 BIO_puts(bio_err, "<no cert>\n"); 162 if (!ok) 163 BIO_printf(bio_err, "verify error:num=%d:%s\n", err, 164 X509_verify_cert_error_string(err)); 165 switch (err) { 166 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 167 BIO_puts(bio_err, "issuer= "); 168 X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), 169 0, XN_FLAG_ONELINE); 170 BIO_puts(bio_err, "\n"); 171 break; 172 case X509_V_ERR_CERT_NOT_YET_VALID: 173 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 174 BIO_printf(bio_err, "notBefore="); 175 ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert)); 176 BIO_printf(bio_err, "\n"); 177 break; 178 case X509_V_ERR_CERT_HAS_EXPIRED: 179 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 180 BIO_printf(bio_err, "notAfter="); 181 ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert)); 182 BIO_printf(bio_err, "\n"); 183 break; 184 case X509_V_ERR_NO_EXPLICIT_POLICY: 185 policies_print(bio_err, ctx); 186 break; 187 } 188 if (err == X509_V_OK && ok == 2) 189 /* print out policies */ 190 191 BIO_printf(bio_err, "verify return:%d\n", ok); 192 return(ok); 193 } 194 195=head1 SEE ALSO 196 197L<X509_STORE_CTX_get_error(3)> 198L<X509_STORE_set_verify_cb_func(3)> 199L<X509_STORE_CTX_get_ex_new_index(3)> 200 201=head1 HISTORY 202 203The 204X509_STORE_CTX_get_get_issuer(), 205X509_STORE_CTX_get_check_issued(), X509_STORE_CTX_get_check_revocation(), 206X509_STORE_CTX_get_get_crl(), X509_STORE_CTX_get_check_crl(), 207X509_STORE_CTX_get_cert_crl(), X509_STORE_CTX_get_check_policy(), 208X509_STORE_CTX_get_lookup_certs(), X509_STORE_CTX_get_lookup_crls() 209and X509_STORE_CTX_get_cleanup() functions were added in OpenSSL 1.1.0. 210 211X509_STORE_CTX_print_verify_cb() was added in OpenSSL 3.0. 212 213=head1 COPYRIGHT 214 215Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. 216 217Licensed under the Apache License 2.0 (the "License"). You may not use 218this file except in compliance with the License. You can obtain a copy 219in the file LICENSE in the source distribution or at 220L<https://www.openssl.org/source/license.html>. 221 222=cut 223