NAME¶
X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags,
X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose,
X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth,
X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time,
X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies,
X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host,
X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername,
X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip,
X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters
SYNOPSIS¶
#include <openssl/x509_vfy.h>
int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
unsigned long flags);
unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
ASN1_OBJECT *policy);
int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
STACK_OF(ASN1_OBJECT) *policies);
void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
const char *name, size_t namelen);
int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
const char *name, size_t namelen);
void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
unsigned int flags);
char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param);
int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
const char *email, size_t emaillen);
int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
const unsigned char *ip, size_t iplen);
int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc);
DESCRIPTION¶
These functions manipulate the
X509_VERIFY_PARAM structure associated
with a certificate verification operation.
The
X509_VERIFY_PARAM_set_flags() function sets the flags in
param
by oring it with
flags. See the
VERIFICATION FLAGS section for a
complete description of values the
flags parameter can take.
X509_VERIFY_PARAM_get_flags() returns the flags in
param.
X509_VERIFY_PARAM_clear_flags() clears the flags
flags in
param.
X509_VERIFY_PARAM_set_purpose() sets the verification purpose in
param to
purpose. This determines the acceptable purpose of the
certificate chain, for example SSL client or SSL server.
X509_VERIFY_PARAM_set_trust() sets the trust setting in
param to
trust.
X509_VERIFY_PARAM_set_time() sets the verification time in
param
to
t. Normally the current time is used.
X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
by default) and adds
policy to the acceptable policy set.
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
by default) and sets the acceptable policy set to
policies. Any
existing policy set is cleared. The
policies parameter can be
NULL to clear an existing policy set.
X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to
depth. That is the maximum number of untrusted CA certificates that can
appear in a chain.
X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to
name clearing any previously specified host name or names. If
name is NULL, or empty the list of hostnames is cleared, and name
checks are not performed on the peer certificate. If
name is
NUL-terminated,
namelen may be zero, otherwise
namelen must be
set to the length of
name. When a hostname is specified, certificate
verification automatically invokes
X509_check_host(3) with flags equal
to the
flags argument given to
X509_VERIFY_PARAM_set_hostflags() (default zero).
Applications are strongly advised to use this interface in preference to
explicitly calling
X509_check_host(3), hostname checks are out of scope
with the
DANE-EE(3) certificate usage, and the internal check will be
suppressed as appropriate when DANE support is added to OpenSSL.
X509_VERIFY_PARAM_add1_host() adds
name as an additional reference
identifer that can match the peer's certificate. Any previous names set via
X509_VERIFY_PARAM_set1_host() or
X509_VERIFY_PARAM_add1_host()
are retained, no change is made if
name is NULL or empty. When multiple
names are configured, the peer is considered verified when any name matches.
X509_VERIFY_PARAM_get0_peername() returns the DNS hostname or subject
CommonName from the peer certificate that matched one of the reference
identifiers. When wildcard matching is not disabled, or when a reference
identifier specifies a parent domain (starts with ".") rather than a
hostname, the peer name may be a wildcard name or a sub-domain of the
reference identifier respectively. The return string is allocated by the
library and is no longer valid once the associated
param argument is
freed. Applications must not free the return value.
X509_VERIFY_PARAM_set1_email() sets the expected RFC822 email address to
email. If
email is NUL-terminated,
emaillen may be zero,
otherwise
emaillen must be set to the length of
email. When an
email address is specified, certificate verification automatically invokes
X509_check_email(3).
X509_VERIFY_PARAM_set1_ip() sets the expected IP address to
ip.
The
ip argument is in binary format, in network byte-order and
iplen must be set to 4 for IPv4 and 16 for IPv6. When an IP address is
specified, certificate verification automatically invokes
X509_check_ip(3).
X509_VERIFY_PARAM_set1_ip_asc() sets the expected IP address to
ipasc. The
ipasc argument is a NUL-terminal ASCII string: dotted
decimal quad for IPv4 and colon-separated hexadecimal for IPv6. The condensed
"::" notation is supported for IPv6 addresses.
RETURN VALUES¶
X509_VERIFY_PARAM_set_flags(),
X509_VERIFY_PARAM_clear_flags(),
X509_VERIFY_PARAM_set_purpose(),
X509_VERIFY_PARAM_set_trust(),
X509_VERIFY_PARAM_add0_policy()
X509_VERIFY_PARAM_set1_policies(),
X509_VERIFY_PARAM_set1_host(),
X509_VERIFY_PARAM_set_hostflags(),
X509_VERIFY_PARAM_set1_email(),
X509_VERIFY_PARAM_set1_ip() and
X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for failure.
X509_VERIFY_PARAM_get_flags() returns the current verification flags.
X509_VERIFY_PARAM_set_time() and
X509_VERIFY_PARAM_set_depth() do
not return values.
X509_VERIFY_PARAM_get_depth() returns the current verification depth.
VERIFICATION FLAGS¶
The verification flags consists of zero or more of the following flags ored
together.
X509_V_FLAG_CRL_CHECK enables CRL checking for the certificate chain leaf
certificate. An error occurs if a suitable CRL cannot be found.
X509_V_FLAG_CRL_CHECK_ALL enables CRL checking for the entire certificate
chain.
X509_V_FLAG_IGNORE_CRITICAL disabled critical extension checking. By
default any unhandled critical extensions in certificates or (if checked) CRLs
results in a fatal error. If this flag is set unhandled critical extensions
are ignored.
WARNING setting this option for anything other than
debugging purposes can be a security risk. Finer control over which extensions
are supported can be performed in the verification callback.
THe
X509_V_FLAG_X509_STRICT flag disables workarounds for some broken
certificates and makes the verification strictly apply
X509 rules.
X509_V_FLAG_ALLOW_PROXY_CERTS enables proxy certificate verification.
X509_V_FLAG_POLICY_CHECK enables certificate policy checking, by default
no policy checking is peformed. Additional information is sent to the
verification callback relating to policy checking.
X509_V_FLAG_EXPLICIT_POLICY,
X509_V_FLAG_INHIBIT_ANY and
X509_V_FLAG_INHIBIT_MAP set the
require explicit policy,
inhibit any policy and
inhibit policy mapping flags
respectively as defined in
RFC3280. Policy checking is automatically
enabled if any of these flags are set.
If
X509_V_FLAG_NOTIFY_POLICY is set and the policy checking is successful
a special status code is set to the verification callback. This permits it to
examine the valid policy tree and perform additional checks or simply log it
for debugging purposes.
By default some additional features such as indirect CRLs and CRLs signed by
different keys are disabled. If
X509_V_FLAG_EXTENDED_CRL_SUPPORT is set
they are enabled.
If
X509_V_FLAG_USE_DELTAS ise set delta CRLs (if present) are used to
determine certificate status. If not set deltas are ignored.
X509_V_FLAG_CHECK_SS_SIGNATURE enables checking of the root CA self
signed cerificate signature. By default this check is disabled because it
doesn't add any additional security but in some cases applications might want
to check the signature anyway. A side effect of not checking the root CA
signature is that disabled or unsupported message digests on the root CA are
not treated as fatal errors.
The
X509_V_FLAG_CB_ISSUER_CHECK flag enables debugging of certificate
issuer checks. It is
not needed unless you are logging certificate
verification. If this flag is set then additional status codes will be sent to
the verification callback and it
must be prepared to handle such cases
without assuming they are hard errors.
The
X509_V_FLAG_NO_ALT_CHAINS flag suppresses checking for alternative
chains. By default, when building a certificate chain, if the first
certificate chain found is not trusted, then OpenSSL will continue to check to
see if an alternative chain can be found that is trusted. With this flag set
the behaviour will match that of OpenSSL versions prior to 1.0.2b.
NOTES¶
The above functions should be used to manipulate verification parameters instead
of legacy functions which work in specific structures such as
X509_STORE_CTX_set_flags().
BUGS¶
Delta CRL checking is currently primitive. Only a single delta can be used and
(partly due to limitations of
X509_STORE) constructed CRLs are not
maintained.
If CRLs checking is enable CRLs are expected to be available in the
corresponding
X509_STORE structure. No attempt is made to download CRLs
from the CRL distribution points extension.
EXAMPLE¶
Enable CRL checking when performing certificate verification during SSL
connections associated with an
SSL_CTX structure
ctx:
X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
SSL_CTX_set1_param(ctx, param);
X509_VERIFY_PARAM_free(param);
SEE ALSO¶
X509_verify_cert(3),
X509_check_host(3),
X509_check_email(3),
X509_check_ip(3)
HISTORY¶
The
X509_V_FLAG_NO_ALT_CHAINS flag was added in OpenSSL 1.0.2b