1X509_STORE_CTX_set_verify_cb(3)     OpenSSL    X509_STORE_CTX_set_verify_cb(3)
2
3
4

NAME

6       X509_STORE_CTX_set_verify_cb - set verification callback
7

SYNOPSIS

9        #include <openssl/x509_vfy.h>
10
11        void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
12                                       int (*verify_cb)(int ok, X509_STORE_CTX *ctx));
13

DESCRIPTION

15       X509_STORE_CTX_set_verify_cb() sets the verification callback of ctx to
16       verify_cb overwriting any existing callback.
17
18       The verification callback can be used to customise the operation of
19       certificate verification, either by overriding error conditions or
20       logging errors for debugging purposes.
21
22       However a verification callback is not essential and the default
23       operation is often sufficient.
24
25       The ok parameter to the callback indicates the value the callback
26       should return to retain the default behaviour. If it is zero then and
27       error condition is indicated. If it is 1 then no error occurred. If the
28       flag X509_V_FLAG_NOTIFY_POLICY is set then ok is set to 2 to indicate
29       the policy checking is complete.
30
31       The ctx parameter to the callback is the X509_STORE_CTX structure that
32       is performing the verification operation. A callback can examine this
33       structure and receive additional information about the error, for
34       example by calling X509_STORE_CTX_get_current_cert(). Additional
35       application data can be passed to the callback via the ex_data
36       mechanism.
37

WARNING

39       In general a verification callback should NOT unconditionally return 1
40       in all circumstances because this will allow verification to succeed no
41       matter what the error. This effectively removes all security from the
42       application because any certificate (including untrusted generated
43       ones) will be accepted.
44

NOTES

46       The verification callback can be set and inherited from the parent
47       structure performing the operation. In some cases (such as S/MIME
48       verification) the X509_STORE_CTX structure is created and destroyed
49       internally and the only way to set a custom verification callback is by
50       inheriting it from the associated X509_STORE.
51

RETURN VALUES

53       X509_STORE_CTX_set_verify_cb() does not return a value.
54

EXAMPLES

56       Default callback operation:
57
58        int verify_callback(int ok, X509_STORE_CTX *ctx)
59               {
60               return ok;
61               }
62
63       Simple example, suppose a certificate in the chain is expired and we
64       wish to continue after this error:
65
66        int verify_callback(int ok, X509_STORE_CTX *ctx)
67               {
68               /* Tolerate certificate expiration */
69               if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
70                               return 1;
71               /* Otherwise don't override */
72               return ok;
73               }
74
75       More complex example, we don't wish to continue after any certificate
76       has expired just one specific case:
77
78        int verify_callback(int ok, X509_STORE_CTX *ctx)
79               {
80               int err = X509_STORE_CTX_get_error(ctx);
81               X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
82               if (err == X509_V_ERR_CERT_HAS_EXPIRED)
83                       {
84                       if (check_is_acceptable_expired_cert(err_cert)
85                               return 1;
86                       }
87               return ok;
88               }
89
90       Full featured logging callback. In this case the bio_err is assumed to
91       be a global logging BIO, an alternative would to store a BIO in ctx
92       using ex_data.
93
94        int verify_callback(int ok, X509_STORE_CTX *ctx)
95               {
96               X509 *err_cert;
97               int err,depth;
98
99               err_cert = X509_STORE_CTX_get_current_cert(ctx);
100               err =   X509_STORE_CTX_get_error(ctx);
101               depth = X509_STORE_CTX_get_error_depth(ctx);
102
103               BIO_printf(bio_err,"depth=%d ",depth);
104               if (err_cert)
105                       {
106                       X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
107                                               0, XN_FLAG_ONELINE);
108                       BIO_puts(bio_err, "\n");
109                       }
110               else
111                       BIO_puts(bio_err, "<no cert>\n");
112               if (!ok)
113                       BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
114                               X509_verify_cert_error_string(err));
115               switch (err)
116                       {
117               case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
118                       BIO_puts(bio_err,"issuer= ");
119                       X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
120                                               0, XN_FLAG_ONELINE);
121                       BIO_puts(bio_err, "\n");
122                       break;
123               case X509_V_ERR_CERT_NOT_YET_VALID:
124               case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
125                       BIO_printf(bio_err,"notBefore=");
126                       ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert));
127                       BIO_printf(bio_err,"\n");
128                       break;
129               case X509_V_ERR_CERT_HAS_EXPIRED:
130               case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
131                       BIO_printf(bio_err,"notAfter=");
132                       ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert));
133                       BIO_printf(bio_err,"\n");
134                       break;
135               case X509_V_ERR_NO_EXPLICIT_POLICY:
136                       policies_print(bio_err, ctx);
137                       break;
138                       }
139               if (err == X509_V_OK && ok == 2)
140                       /* print out policies */
141
142               BIO_printf(bio_err,"verify return:%d\n",ok);
143               return(ok);
144               }
145

SEE ALSO

147       X509_STORE_CTX_get_error(3) X509_STORE_set_verify_cb_func(3)
148       X509_STORE_CTX_get_ex_new_index(3)
149

HISTORY

151       X509_STORE_CTX_set_verify_cb() is available in all versions of SSLeay
152       and OpenSSL.
153
154
155
1561.0.2o                            2020-08-01   X509_STORE_CTX_set_verify_cb(3)
Impressum