Implement X509_STORE_CTX_set_current_cert() accessor

Reviewed-by: NRich Salz <rsalz@openssl.org>

crypto/x509/x509_vfy.c

@@ -1999,6 +1999,11 @@ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
     return ctx->current_cert;
 }
 
+void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x)
+{
+    ctx->current_cert = x;
+}
+
 STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
 {
     return ctx->chain;

doc/crypto/X509_STORE_CTX_get_error.pod

@@ -4,8 +4,10 @@
 
 X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
 X509_STORE_CTX_get_error_depth, X509_STORE_CTX_set_error_depth,
-X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get0_cert,
-X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information
+X509_STORE_CTX_get_current_cert, X509_STORE_CTX_set_current_cert,
+X509_STORE_CTX_get0_cert, X509_STORE_CTX_get1_chain,
+X509_verify_cert_error_string - get or set certificate verification status
+information
 
 =head1 SYNOPSIS
 
@@ -13,10 +15,11 @@ X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificat
  #include <openssl/x509_vfy.h>
 
  int   X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
- void  X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
+ void  X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
  int   X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
  void  X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
  X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+ void  X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
  X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx);
 
  STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
@@ -44,11 +47,23 @@ X509_STORE_CTX_set_error_depth() sets the error B<depth>.
 This can be used in combination with X509_STORE_CTX_set_error() to set the
 depth at which an error condition was detected.
 
-X509_STORE_CTX_get0_cert() returns the leaf certificate being verified.
-
 X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which
 caused the error or B<NULL> if no certificate is relevant.
 
+X509_STORE_CTX_set_current_cert() sets the certificate B<x> in B<ctx> which
+caused the error.
+This value is not intended to remain valid for very long, and remains owned by
+the caller.
+It may be examined by a verification callback invoked to handle each error
+encountered during chain verification and is no longer required after such a
+callback.
+If a callback wishes the save the certificate for use after it returns, it
+needs to increment its reference count via L<X509_up_ref(3)>.
+Once such a I<saved> certificate is no longer needed it can be freed with
+L<X509_free(3)>.
+
+X509_STORE_CTX_get0_cert() returns the leaf certificate being verified.
+
 X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous
 call to X509_verify_cert() is successful. If the call to X509_verify_cert()
 is B<not> successful the returned chain may be incomplete or invalid. The
@@ -307,7 +322,9 @@ thread safe but will never happen unless an invalid code is passed.
 
 =head1 SEE ALSO
 
-L<X509_verify_cert(3)>
+L<X509_verify_cert(3)>,
+L<X509_up_ref(3)>,
+L<X509_free(3)>.
 
 =head1 HISTORY
 

include/openssl/x509_vfy.h

@@ -372,6 +372,7 @@ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
 int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
 X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
 X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx);
 X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx);
 X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx);