diff options
author | Jung-uk Kim <jkim@FreeBSD.org> | 2018-09-13 23:14:57 +0000 |
---|---|---|
committer | Jung-uk Kim <jkim@FreeBSD.org> | 2018-09-13 23:14:57 +0000 |
commit | 54967a4e950cb7b16a26428f9e3872aa8fe83d16 (patch) | |
tree | 8ebcd0ceb80e3719deabb8cbd455ab2685cf0c96 /secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 | |
parent | 9b21da0ecb8941dc7c6bd721ccfe05cecd7d6432 (diff) | |
download | src-test2-54967a4e950cb7b16a26428f9e3872aa8fe83d16.tar.gz src-test2-54967a4e950cb7b16a26428f9e3872aa8fe83d16.zip |
Notes
Diffstat (limited to 'secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3')
-rw-r--r-- | secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 | 193 |
1 files changed, 114 insertions, 79 deletions
diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 b/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 index 9a6570b2ba90..ad66efab3d10 100644 --- a/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 +++ b/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 @@ -128,21 +128,36 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_STORE_CTX_set_verify_cb 3" -.TH X509_STORE_CTX_set_verify_cb 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_STORE_CTX_SET_VERIFY_CB 3" +.TH X509_STORE_CTX_SET_VERIFY_CB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_STORE_CTX_set_verify_cb \- set verification callback +X509_STORE_CTX_get_cleanup, X509_STORE_CTX_get_lookup_crls, X509_STORE_CTX_get_lookup_certs, X509_STORE_CTX_get_check_policy, X509_STORE_CTX_get_cert_crl, X509_STORE_CTX_get_check_crl, X509_STORE_CTX_get_get_crl, X509_STORE_CTX_get_check_revocation, X509_STORE_CTX_get_check_issued, X509_STORE_CTX_get_get_issuer, X509_STORE_CTX_get_verify_cb, X509_STORE_CTX_set_verify_cb, X509_STORE_CTX_verify_cb \&\- get and set verification callback .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include <openssl/x509_vfy.h> \& +\& typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); +\& +\& X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx); +\& \& void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, -\& int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); +\& X509_STORE_CTX_verify_cb verify_cb); +\& +\& X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -157,7 +172,7 @@ However a verification callback is \fBnot\fR essential and the default operation is often sufficient. .PP The \fBok\fR parameter to the callback indicates the value the callback should -return to retain the default behaviour. If it is zero then and error condition +return to retain the default behaviour. If it is zero then an error condition is indicated. If it is 1 then no error occurred. If the flag \&\fBX509_V_FLAG_NOTIFY_POLICY\fR is set then \fBok\fR is set to 2 to indicate the policy checking is complete. @@ -167,6 +182,18 @@ is performing the verification operation. A callback can examine this structure and receive additional information about the error, for example by calling \fIX509_STORE_CTX_get_current_cert()\fR. Additional application data can be passed to the callback via the \fBex_data\fR mechanism. +.PP +\&\fIX509_STORE_CTX_get_verify_cb()\fR returns the value of the current callback +for the specific \fBctx\fR. +.PP +\&\fIX509_STORE_CTX_get_get_issuer()\fR, +\&\fIX509_STORE_CTX_get_check_issued()\fR, \fIX509_STORE_CTX_get_check_revocation()\fR, +\&\fIX509_STORE_CTX_get_get_crl()\fR, \fIX509_STORE_CTX_get_check_crl()\fR, +\&\fIX509_STORE_CTX_get_cert_crl()\fR, \fIX509_STORE_CTX_get_check_policy()\fR, +\&\fIX509_STORE_CTX_get_lookup_certs()\fR, \fIX509_STORE_CTX_get_lookup_crls()\fR +and \fIX509_STORE_CTX_get_cleanup()\fR return the function pointers cached +from the corresponding \fBX509_STORE\fR, please see +\&\fIX509_STORE_set_verify\fR\|(3) for more information. .SH "WARNING" .IX Header "WARNING" In general a verification callback should \fB\s-1NOT\s0\fR unconditionally return 1 in @@ -188,42 +215,40 @@ associated \fBX509_STORE\fR. .IX Header "EXAMPLES" Default callback operation: .PP -.Vb 4 -\& int verify_callback(int ok, X509_STORE_CTX *ctx) -\& { -\& return ok; -\& } +.Vb 3 +\& int verify_callback(int ok, X509_STORE_CTX *ctx) { +\& return ok; +\& } .Ve .PP Simple example, suppose a certificate in the chain is expired and we wish to continue after this error: .PP -.Vb 8 -\& int verify_callback(int ok, X509_STORE_CTX *ctx) -\& { -\& /* Tolerate certificate expiration */ -\& if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) -\& return 1; -\& /* Otherwise don\*(Aqt override */ -\& return ok; -\& } +.Vb 7 +\& int verify_callback(int ok, X509_STORE_CTX *ctx) { +\& /* Tolerate certificate expiration */ +\& if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) +\& return 1; +\& /* Otherwise don\*(Aqt override */ +\& return ok; +\& } .Ve .PP More complex example, we don't wish to continue after \fBany\fR certificate has expired just one specific case: .PP -.Vb 11 +.Vb 4 \& int verify_callback(int ok, X509_STORE_CTX *ctx) -\& { -\& int err = X509_STORE_CTX_get_error(ctx); -\& X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); -\& if (err == X509_V_ERR_CERT_HAS_EXPIRED) -\& { -\& if (check_is_acceptable_expired_cert(err_cert) -\& return 1; -\& } -\& return ok; -\& } +\& { +\& int err = X509_STORE_CTX_get_error(ctx); +\& X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); +\& +\& if (err == X509_V_ERR_CERT_HAS_EXPIRED) { +\& if (check_is_acceptable_expired_cert(err_cert) +\& return 1; +\& } +\& return ok; +\& } .Ve .PP Full featured logging callback. In this case the \fBbio_err\fR is assumed to be @@ -232,56 +257,54 @@ a global logging \fB\s-1BIO\s0\fR, an alternative would to store a \s-1BIO\s0 in .PP .Vb 4 \& int verify_callback(int ok, X509_STORE_CTX *ctx) -\& { -\& X509 *err_cert; -\& int err,depth; +\& { +\& X509 *err_cert; +\& int err, depth; \& -\& err_cert = X509_STORE_CTX_get_current_cert(ctx); -\& err = X509_STORE_CTX_get_error(ctx); -\& depth = X509_STORE_CTX_get_error_depth(ctx); +\& err_cert = X509_STORE_CTX_get_current_cert(ctx); +\& err = X509_STORE_CTX_get_error(ctx); +\& depth = X509_STORE_CTX_get_error_depth(ctx); \& -\& BIO_printf(bio_err,"depth=%d ",depth); -\& if (err_cert) -\& { -\& X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), -\& 0, XN_FLAG_ONELINE); -\& BIO_puts(bio_err, "\en"); -\& } -\& else -\& BIO_puts(bio_err, "<no cert>\en"); -\& if (!ok) -\& BIO_printf(bio_err,"verify error:num=%d:%s\en",err, -\& X509_verify_cert_error_string(err)); -\& switch (err) -\& { -\& case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: -\& BIO_puts(bio_err,"issuer= "); -\& X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), -\& 0, XN_FLAG_ONELINE); -\& BIO_puts(bio_err, "\en"); -\& break; -\& case X509_V_ERR_CERT_NOT_YET_VALID: -\& case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: -\& BIO_printf(bio_err,"notBefore="); -\& ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert)); -\& BIO_printf(bio_err,"\en"); -\& break; -\& case X509_V_ERR_CERT_HAS_EXPIRED: -\& case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: -\& BIO_printf(bio_err,"notAfter="); -\& ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert)); -\& BIO_printf(bio_err,"\en"); -\& break; -\& case X509_V_ERR_NO_EXPLICIT_POLICY: -\& policies_print(bio_err, ctx); -\& break; -\& } -\& if (err == X509_V_OK && ok == 2) -\& /* print out policies */ +\& BIO_printf(bio_err, "depth=%d ", depth); +\& if (err_cert) { +\& X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), +\& 0, XN_FLAG_ONELINE); +\& BIO_puts(bio_err, "\en"); +\& } +\& else +\& BIO_puts(bio_err, "<no cert>\en"); +\& if (!ok) +\& BIO_printf(bio_err, "verify error:num=%d:%s\en", err, +\& X509_verify_cert_error_string(err)); +\& switch (err) { +\& case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: +\& BIO_puts(bio_err, "issuer= "); +\& X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), +\& 0, XN_FLAG_ONELINE); +\& BIO_puts(bio_err, "\en"); +\& break; +\& case X509_V_ERR_CERT_NOT_YET_VALID: +\& case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: +\& BIO_printf(bio_err, "notBefore="); +\& ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert)); +\& BIO_printf(bio_err, "\en"); +\& break; +\& case X509_V_ERR_CERT_HAS_EXPIRED: +\& case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: +\& BIO_printf(bio_err, "notAfter="); +\& ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert)); +\& BIO_printf(bio_err, "\en"); +\& break; +\& case X509_V_ERR_NO_EXPLICIT_POLICY: +\& policies_print(bio_err, ctx); +\& break; +\& } +\& if (err == X509_V_OK && ok == 2) +\& /* print out policies */ \& -\& BIO_printf(bio_err,"verify return:%d\en",ok); -\& return(ok); -\& } +\& BIO_printf(bio_err, "verify return:%d\en", ok); +\& return(ok); +\& } .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" @@ -290,5 +313,17 @@ a global logging \fB\s-1BIO\s0\fR, an alternative would to store a \s-1BIO\s0 in \&\fIX509_STORE_CTX_get_ex_new_index\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIX509_STORE_CTX_set_verify_cb()\fR is available in all versions of SSLeay and -OpenSSL. +\&\fIX509_STORE_CTX_get_get_issuer()\fR, +\&\fIX509_STORE_CTX_get_check_issued()\fR, \fIX509_STORE_CTX_get_check_revocation()\fR, +\&\fIX509_STORE_CTX_get_get_crl()\fR, \fIX509_STORE_CTX_get_check_crl()\fR, +\&\fIX509_STORE_CTX_get_cert_crl()\fR, \fIX509_STORE_CTX_get_check_policy()\fR, +\&\fIX509_STORE_CTX_get_lookup_certs()\fR, \fIX509_STORE_CTX_get_lookup_crls()\fR +and \fIX509_STORE_CTX_get_cleanup()\fR were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2009\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. |