X509_STORE_CTX_new.pod 4.5 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122
=pod

=head1 NAME

X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert, X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default - X509_STORE_CTX initialisation

=head1 SYNOPSIS

 #include <openssl/x509_vfy.h>

 X509_STORE_CTX *X509_STORE_CTX_new(void);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);

 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
			 X509 *x509, STACK_OF(X509) *chain);

 void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);

 void	X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx,X509 *x);
 void	X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx,STACK_OF(X509) *sk);
 void	X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);

 X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);

=head1 DESCRIPTION

These functions initialise an B<X509_STORE_CTX> structure for subsequent use
by X509_verify_cert().

X509_STORE_CTX_new() returns a newly initialised B<X509_STORE_CTX> structure.

X509_STORE_CTX_cleanup() internally cleans up an B<X509_STORE_CTX> structure.
The context can then be reused with an new call to X509_STORE_CTX_init().

X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
is no longer valid.

X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
The trusted certificate store is set to B<store>, the end entity certificate
to be verified is set to B<x509> and a set of additional certificates (which
will be untrusted but may be used to build the chain) in B<chain>. Any or
all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>.

X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
to B<sk>. This is an alternative way of specifying trusted certificates 
instead of using an B<X509_STORE>.

X509_STORE_CTX_set_cert() sets the certificate to be vertified in B<ctx> to
B<x>.

X509_STORE_CTX_set_chain() sets the additional certificate chain used by B<ctx>
to B<sk>.

X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate
verification to B<sk>. These CRLs will only be used if CRL verification is
enabled in the associated B<X509_VERIFY_PARAM> structure. This might be
used where additional "useful" CRLs are supplied as part of a protocol,
for example in a PKCS#7 structure.

X509_VERIFY_PARAM *X509_STORE_CTX_get0_param() retrieves an intenal pointer
to the verification parameters associated with B<ctx>.

X509_STORE_CTX_set0_param() sets the intenal verification parameter pointer
to B<param>. After this call B<param> should not be used.

X509_STORE_CTX_set_default() looks up and sets the default verification
method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to
find an appropriate set of parameters from B<name>.

=head1 NOTES

The certificates and CRLs in a store are used internally and should B<not>
be freed up until after the associated B<X509_STORE_CTX> is freed. Legacy
applications might implicitly use an B<X509_STORE_CTX> like this:

  X509_STORE_CTX ctx;
  X509_STORE_CTX_init(&ctx, store, cert, chain);

this is B<not> recommended in new applications they should instead do:

  X509_STORE_CTX *ctx;
  ctx = X509_STORE_CTX_new();
  if (ctx == NULL)
	/* Bad error */
  X509_STORE_CTX_init(ctx, store, cert, chain);

=head1 BUGS

The certificates and CRLs in a context are used internally and should B<not>
be freed up until after the associated B<X509_STORE_CTX> is freed. Copies
should be made or reference counts increased instead.

=head1 RETURN VALUES

X509_STORE_CTX_new() returns an newly allocates context or B<NULL> is an
error occurred.

X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred.

X509_STORE_CTX_get0_param() returns a pointer to an B<X509_VERIFY_PARAM>
structure or B<NULL> if an error occurred.

X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(), X509_STORE_CTX_trusted_stack(),
X509_STORE_CTX_set_cert(), X509_STORE_CTX_set_chain(),
X509_STORE_CTX_set0_crls() and X509_STORE_CTX_set0_param() do not return
values.

X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.

=head1 SEE ALSO

L<X509_verify_cert(3)|X509_verify_cert(3)>
L<X509_VERIFY_PARAM_set_flags(3)|X509_VERIFY_PARAM_set_flags(3)>

=head1 HISTORY

X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0

=cut