NAME
X509_STORE_CTX_new
,
X509_STORE_CTX_cleanup
,
X509_STORE_CTX_free
,
X509_STORE_CTX_init
,
X509_STORE_CTX_get0_store
,
X509_STORE_CTX_set0_trusted_stack
,
X509_STORE_CTX_trusted_stack
,
X509_STORE_CTX_set_cert
,
X509_STORE_CTX_set_chain
,
X509_STORE_CTX_set0_crls
,
X509_STORE_CTX_get0_param
,
X509_STORE_CTX_set0_param
,
X509_STORE_CTX_get0_untrusted
,
X509_STORE_CTX_set0_untrusted
,
X509_STORE_CTX_set_default
—
X509_STORE_CTX
initialisation
SYNOPSIS
#include
<openssl/x509_vfy.h>
X509_STORE_CTX *
X509_STORE_CTX_new
(void);
void
X509_STORE_CTX_cleanup
(X509_STORE_CTX
*ctx);
void
X509_STORE_CTX_free
(X509_STORE_CTX
*ctx);
int
X509_STORE_CTX_init
(X509_STORE_CTX
*ctx, X509_STORE *store, X509
*x509, STACK_OF(X509) *chain);
X509_STORE *
X509_STORE_CTX_get0_store
(X509_STORE_CTX
*ctx);
void
X509_STORE_CTX_set0_trusted_stack
(X509_STORE_CTX
*ctx, STACK_OF(X509) *sk);
void
X509_STORE_CTX_trusted_stack
(X509_STORE_CTX
*ctx, STACK_OF(X509) *sk);
void
X509_STORE_CTX_set_cert
(X509_STORE_CTX
*ctx, X509 *x);
void
X509_STORE_CTX_set_chain
(X509_STORE_CTX
*ctx, STACK_OF(X509) *sk);
void
X509_STORE_CTX_set0_crls
(X509_STORE_CTX
*ctx, STACK_OF(X509_CRL) *sk);
X509_VERIFY_PARAM *
X509_STORE_CTX_get0_param
(X509_STORE_CTX
*ctx);
void
X509_STORE_CTX_set0_param
(X509_STORE_CTX
*ctx, X509_VERIFY_PARAM *param);
int
X509_STORE_CTX_set_default
(X509_STORE_CTX
*ctx, const char *name);
STACK_OF(X509)*
X509_STORE_CTX_get0_untrusted
(X509_STORE_CTX
*ctx);
void
X509_STORE_CTX_set0_untrusted
(X509_STORE_CTX
*ctx, STACK_OF(X509) *sk);
DESCRIPTION
These functions initialise an X509_STORE_CTX structure for subsequent use by X509_verify_cert(3).X509_STORE_CTX_new
()
returns a newly initialised X509_STORE_CTX
structure.
X509_STORE_CTX_cleanup
()
internally cleans up an X509_STORE_CTX structure. The
context can then be reused with a new call to
X509_STORE_CTX_init
().
X509_STORE_CTX_free
()
completely frees up ctx. After this call
ctx is no longer valid. If ctx
is a NULL
pointer, no action occurs.
X509_STORE_CTX_init
()
sets up ctx for a subsequent verification operation.
The trusted certificate store is set to store, the end
entity certificate to be verified is set to x509 and a
set of additional certificates (which will be untrusted but may be used to
build the chain) in chain. Any or all of the
store, x509, and
chain parameters can be
NULL
.
X509_STORE_CTX_get0_store
()
returns an internal pointer to the trusted certificate
store that was set with
X509_STORE_CTX_init
().
X509_STORE_CTX_set0_trusted_stack
()
sets the set of trusted certificates of ctx to
sk. This is an alternative way of specifying trusted
certificates instead of using an X509_STORE.
X509_STORE_CTX_trusted_stack
()
is a deprecated alias for
X509_STORE_CTX_set0_trusted_stack
().
X509_STORE_CTX_set_cert
()
sets the certificate to be verified in ctx to
x.
X509_STORE_CTX_set_chain
()
sets the additional certificate chain used by ctx to
sk.
X509_STORE_CTX_set0_crls
()
sets a set of CRLs to use to aid certificate verification to
sk. These CRLs will only be used if CRL verification
is enabled in the associated X509_VERIFY_PARAM
structure. This might be used where additional "useful" CRLs are
supplied as part of a protocol, for example in a PKCS#7 structure.
X509_STORE_CTX_get0_param
()
retrieves an internal pointer to the verification parameters associated with
ctx.
X509_STORE_CTX_set0_param
()
sets the internal verification parameter pointer to
param. After this call param
should not be used.
X509_STORE_CTX_set_default
()
looks up and sets the default verification method to
name. This uses the function
X509_VERIFY_PARAM_lookup(3) to find an appropriate set of
parameters from name.
X509_STORE_CTX_get0_untrusted
()
retrieves an internal pointer to the stack of untrusted certificates
associated with ctx.
X509_STORE_CTX_set0_untrusted
()
sets the internal pointer to the stack of untrusted certificates associated
with ctx to sk.
The certificates and CRLs in a store are used internally and should not be freed up until after the associated X509_STORE_CTX is freed. Legacy applications might implicitly use an X509_STORE_CTX like this:
X509_STORE_CTX ctx; X509_STORE_CTX_init(&ctx, store, cert, chain);
This is not recommended in new applications. They should instead do:
X509_STORE_CTX *ctx; ctx = X509_STORE_CTX_new(); if (ctx == NULL) /* Bad error */ X509_STORE_CTX_init(ctx, store, cert, chain);
RETURN VALUES
X509_STORE_CTX_new
() returns a newly
allocated context or NULL
if an error occurred.
X509_STORE_CTX_init
() returns 1 for
success or 0 if an error occurred.
X509_STORE_CTX_get0_store
() returns a
pointer to the trusted certificate store or NULL
if
ctx was not initialised.
X509_STORE_CTX_get0_param
() returns a
pointer to an X509_VERIFY_PARAM structure or
NULL
if an error occurred.
X509_STORE_CTX_set_default
() returns 1 for
success or 0 if an error occurred.
X509_STORE_CTX_get0_untrusted
() returns an
internal pointer.
SEE ALSO
X509_STORE_CTX_get_error(3), X509_STORE_new(3), X509_STORE_set1_param(3), X509_verify_cert(3), X509_VERIFY_PARAM_set_flags(3)
HISTORY
X509_STORE_CTX_cleanup
(),
X509_STORE_CTX_init
(),
X509_STORE_CTX_set_cert
(), and
X509_STORE_CTX_set_chain
() first appeared in SSLeay
0.8.0 and have been available since OpenBSD 2.4.
X509_STORE_CTX_new
() and
X509_STORE_CTX_free
() first appeared in OpenSSL
0.9.5 and have been available since OpenBSD 2.7.
X509_STORE_CTX_trusted_stack
() first
appeared in OpenSSL 0.9.6 and has been available since
OpenBSD 2.9.
X509_STORE_CTX_set0_crls
(),
X509_STORE_CTX_get0_param
(),
X509_STORE_CTX_set0_param
(), and
X509_STORE_CTX_set_default
() first appeared in
OpenSSL 0.9.8 and have been available since OpenBSD
4.5.
X509_STORE_CTX_get0_store
() first appeared
in OpenSSL 1.0.2.
X509_STORE_CTX_set0_trusted_stack
(),
X509_STORE_CTX_get0_untrusted
(), and
X509_STORE_CTX_set0_untrusted
() first appeared in
OpenSSL 1.1.0. These functions have been available since
OpenBSD 6.3.
BUGS
The certificates and CRLs in a context are used internally and should not be freed up until after the associated X509_STORE_CTX is freed. Copies should be made or reference counts increased instead.