1X509_VERIFY_PARAM_set_flags(3)      OpenSSL     X509_VERIFY_PARAM_set_flags(3)
2
3
4

NAME

6       X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags,
7       X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose,
8       X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth,
9       X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time,
10       X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509
11       verification parameters
12

SYNOPSIS

14        #include <openssl/x509_vfy.h>
15
16        int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
17        int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
18                                                               unsigned long flags);
19        unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
20
21        int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
22        int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
23
24        void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
25
26        int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
27                                                       ASN1_OBJECT *policy);
28        int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
29                                               STACK_OF(ASN1_OBJECT) *policies);
30
31        void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
32        int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
33

DESCRIPTION

35       These functions manipulate the X509_VERIFY_PARAM structure associated
36       with a certificate verification operation.
37
38       The X509_VERIFY_PARAM_set_flags() function sets the flags in param by
39       oring it with flags. See the VERIFICATION FLAGS section for a complete
40       description of values the flags parameter can take.
41
42       X509_VERIFY_PARAM_get_flags() returns the flags in param.
43
44       X509_VERIFY_PARAM_clear_flags() clears the flags flags in param.
45
46       X509_VERIFY_PARAM_set_purpose() sets the verification purpose in param
47       to purpose. This determines the acceptable purpose of the certificate
48       chain, for example SSL client or SSL server.
49
50       X509_VERIFY_PARAM_set_trust() sets the trust setting in param to trust.
51
52       X509_VERIFY_PARAM_set_time() sets the verification time in param to t.
53       Normally the current time is used.
54
55       X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
56       by default) and adds policy to the acceptable policy set.
57
58       X509_VERIFY_PARAM_set1_policies() enables policy checking (it is
59       disabled by default) and sets the acceptable policy set to policies.
60       Any existing policy set is cleared. The policies parameter can be NULL
61       to clear an existing policy set.
62
63       X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to
64       depth.  That is the maximum number of untrusted CA certificates that
65       can appear in a chain.
66

RETURN VALUES

68       X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(),
69       X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(),
70       X509_VERIFY_PARAM_add0_policy() and X509_VERIFY_PARAM_set1_policies()
71       return 1 for success and 0 for failure.
72
73       X509_VERIFY_PARAM_get_flags() returns the current verification flags.
74
75       X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not
76       return values.
77
78       X509_VERIFY_PARAM_get_depth() returns the current verification depth.
79

VERIFICATION FLAGS

81       The verification flags consists of zero or more of the following flags
82       ored together.
83
84       X509_V_FLAG_CRL_CHECK enables CRL checking for the certificate chain
85       leaf certificate. An error occurs if a suitable CRL cannot be found.
86
87       X509_V_FLAG_CRL_CHECK_ALL enables CRL checking for the entire
88       certificate chain.
89
90       X509_V_FLAG_IGNORE_CRITICAL disabled critical extension checking. By
91       default any unhandled critical extensions in certificates or (if
92       checked) CRLs results in a fatal error. If this flag is set unhandled
93       critical extensions are ignored. WARNING setting this option for
94       anything other than debugging purposes can be a security risk. Finer
95       control over which extensions are supported can be performed in the
96       verification callback.
97
98       THe X509_V_FLAG_X509_STRICT flag disables workarounds for some broken
99       certificates and makes the verification strictly apply X509 rules.
100
101       X509_V_FLAG_ALLOW_PROXY_CERTS enables proxy certificate verification.
102
103       X509_V_FLAG_POLICY_CHECK enables certificate policy checking, by
104       default no policy checking is peformed. Additional information is sent
105       to the verification callback relating to policy checking.
106
107       X509_V_FLAG_EXPLICIT_POLICY, X509_V_FLAG_INHIBIT_ANY and
108       X509_V_FLAG_INHIBIT_MAP set the require explicit policy, inhibit any
109       policy and inhibit policy mapping flags respectively as defined in
110       RFC3280. Policy checking is automatically enabled if any of these flags
111       are set.
112
113       If X509_V_FLAG_NOTIFY_POLICY is set and the policy checking is
114       successful a special status code is set to the verification callback.
115       This permits it to examine the valid policy tree and perform additional
116       checks or simply log it for debugging purposes.
117
118       By default some addtional features such as indirect CRLs and CRLs
119       signed by different keys are disabled. If
120       X509_V_FLAG_EXTENDED_CRL_SUPPORT is set they are enabled.
121
122       If X509_V_FLAG_USE_DELTAS ise set delta CRLs (if present) are used to
123       determine certificate status. If not set deltas are ignored.
124
125       X509_V_FLAG_CHECK_SS_SIGNATURE enables checking of the root CA self
126       signed cerificate signature. By default this check is disabled because
127       it doesn't add any additional security but in some cases applications
128       might want to check the signature anyway. A side effect of not checking
129       the root CA signature is that disabled or unsupported message digests
130       on the root CA are not treated as fatal errors.
131
132       The X509_V_FLAG_CB_ISSUER_CHECK flag enables debugging of certificate
133       issuer checks. It is not needed unless you are logging certificate
134       verification. If this flag is set then additional status codes will be
135       sent to the verification callback and it must be prepared to handle
136       such cases without assuming they are hard errors.
137

NOTES

139       The above functions should be used to manipulate verification
140       parameters instead of legacy functions which work in specific
141       structures such as X509_STORE_CTX_set_flags().
142

BUGS

144       Delta CRL checking is currently primitive. Only a single delta can be
145       used and (partly due to limitations of X509_STORE) constructed CRLs are
146       not maintained.
147
148       If CRLs checking is enable CRLs are expected to be available in the
149       corresponding X509_STORE structure. No attempt is made to download CRLs
150       from the CRL distribution points extension.
151

EXAMPLE

153       Enable CRL checking when performing certificate verification during SSL
154       connections associated with an SSL_CTX structure ctx:
155
156         X509_VERIFY_PARAM *param;
157         param = X509_VERIFY_PARAM_new();
158         X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
159         SSL_CTX_set1_param(ctx, param);
160         X509_VERIFY_PARAM_free(param);
161

SEE ALSO

163       X509_verify_cert(3)
164

HISTORY

166       TBA
167
168
169
1701.0.0e                            2009-10-18    X509_VERIFY_PARAM_set_flags(3)
Impressum