NAME¶
X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags,
X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose,
X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth,
X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time,
X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509
verification parameters
SYNOPSIS¶
#include <openssl/x509_vfy.h>
int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
unsigned long flags);
unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
ASN1_OBJECT *policy);
int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
STACK_OF(ASN1_OBJECT) *policies);
void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
DESCRIPTION¶
These functions manipulate the
X509_VERIFY_PARAM structure associated
with a certificate verification operation.
The
X509_VERIFY_PARAM_set_flags() function sets the flags in
param
by oring it with
flags. See the
VERIFICATION FLAGS section for a
complete description of values the
flags parameter can take.
X509_VERIFY_PARAM_get_flags() returns the flags in
param.
X509_VERIFY_PARAM_clear_flags() clears the flags
flags in
param.
X509_VERIFY_PARAM_set_purpose() sets the verification purpose in
param to
purpose. This determines the acceptable purpose of the
certificate chain, for example SSL client or SSL server.
X509_VERIFY_PARAM_set_trust() sets the trust setting in
param to
trust.
X509_VERIFY_PARAM_set_time() sets the verification time in
param
to
t. Normally the current time is used.
X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
by default) and adds
policy to the acceptable policy set.
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
by default) and sets the acceptable policy set to
policies. Any
existing policy set is cleared. The
policies parameter can be
NULL to clear an existing policy set.
X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to
depth. That is the maximum number of untrusted CA certificates that can
appear in a chain.
RETURN VALUES¶
X509_VERIFY_PARAM_set_flags(),
X509_VERIFY_PARAM_clear_flags(),
X509_VERIFY_PARAM_set_purpose(),
X509_VERIFY_PARAM_set_trust(),
X509_VERIFY_PARAM_add0_policy() and
X509_VERIFY_PARAM_set1_policies() return 1 for success and 0 for
failure.
X509_VERIFY_PARAM_get_flags() returns the current verification flags.
X509_VERIFY_PARAM_set_time() and
X509_VERIFY_PARAM_set_depth() do
not return values.
X509_VERIFY_PARAM_get_depth() returns the current verification depth.
VERIFICATION FLAGS¶
The verification flags consists of zero or more of the following flags ored
together.
X509_V_FLAG_CRL_CHECK enables CRL checking for the certificate chain leaf
certificate. An error occurs if a suitable CRL cannot be found.
X509_V_FLAG_CRL_CHECK_ALL enables CRL checking for the entire certificate
chain.
X509_V_FLAG_IGNORE_CRITICAL disabled critical extension checking. By
default any unhandled critical extensions in certificates or (if checked) CRLs
results in a fatal error. If this flag is set unhandled critical extensions
are ignored.
WARNING setting this option for anything other than
debugging purposes can be a security risk. Finer control over which extensions
are supported can be performed in the verification callback.
THe
X509_V_FLAG_X509_STRICT flag disables workarounds for some broken
certificates and makes the verification strictly apply
X509 rules.
X509_V_FLAG_ALLOW_PROXY_CERTS enables proxy certificate verification.
X509_V_FLAG_POLICY_CHECK enables certificate policy checking, by default
no policy checking is peformed. Additional information is sent to the
verification callback relating to policy checking.
X509_V_FLAG_EXPLICIT_POLICY,
X509_V_FLAG_INHIBIT_ANY and
X509_V_FLAG_INHIBIT_MAP set the
require explicit policy,
inhibit any policy and
inhibit policy mapping flags
respectively as defined in
RFC3280. Policy checking is automatically
enabled if any of these flags are set.
If
X509_V_FLAG_NOTIFY_POLICY is set and the policy checking is successful
a special status code is set to the verification callback. This permits it to
examine the valid policy tree and perform additional checks or simply log it
for debugging purposes.
By default some additional features such as indirect CRLs and CRLs signed by
different keys are disabled. If
X509_V_FLAG_EXTENDED_CRL_SUPPORT is set
they are enabled.
If
X509_V_FLAG_USE_DELTAS ise set delta CRLs (if present) are used to
determine certificate status. If not set deltas are ignored.
X509_V_FLAG_CHECK_SS_SIGNATURE enables checking of the root CA self
signed cerificate signature. By default this check is disabled because it
doesn't add any additional security but in some cases applications might want
to check the signature anyway. A side effect of not checking the root CA
signature is that disabled or unsupported message digests on the root CA are
not treated as fatal errors.
The
X509_V_FLAG_CB_ISSUER_CHECK flag enables debugging of certificate
issuer checks. It is
not needed unless you are logging certificate
verification. If this flag is set then additional status codes will be sent to
the verification callback and it
must be prepared to handle such cases
without assuming they are hard errors.
NOTES¶
The above functions should be used to manipulate verification parameters instead
of legacy functions which work in specific structures such as
X509_STORE_CTX_set_flags().
BUGS¶
Delta CRL checking is currently primitive. Only a single delta can be used and
(partly due to limitations of
X509_STORE) constructed CRLs are not
maintained.
If CRLs checking is enable CRLs are expected to be available in the
corresponding
X509_STORE structure. No attempt is made to download CRLs
from the CRL distribution points extension.
EXAMPLE¶
Enable CRL checking when performing certificate verification during SSL
connections associated with an
SSL_CTX structure
ctx:
X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
SSL_CTX_set1_param(ctx, param);
X509_VERIFY_PARAM_free(param);
SEE ALSO¶
X509_verify_cert(3)
HISTORY¶
TBA