1X509_STORE_CTX_SET_VERIFY_CB(3) OpenSSL X509_STORE_CTX_SET_VERIFY_CB(3)
2
3
4
6 X509_STORE_CTX_get_cleanup, X509_STORE_CTX_get_lookup_crls,
7 X509_STORE_CTX_get_lookup_certs, X509_STORE_CTX_get_check_policy,
8 X509_STORE_CTX_get_cert_crl, X509_STORE_CTX_get_check_crl,
9 X509_STORE_CTX_get_get_crl, X509_STORE_CTX_get_check_revocation,
10 X509_STORE_CTX_get_check_issued, X509_STORE_CTX_get_get_issuer,
11 X509_STORE_CTX_get_verify_cb, X509_STORE_CTX_set_verify_cb,
12 X509_STORE_CTX_verify_cb - get and set verification callback
13
15 #include <openssl/x509_vfy.h>
16
17 typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
18
19 X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx);
20
21 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
22 X509_STORE_CTX_verify_cb verify_cb);
23
24 X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx);
25 X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);
26 X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx);
27 X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx);
28 X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx);
29 X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx);
30 X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx);
31 X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx);
32 X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx);
33 X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx);
34
36 X509_STORE_CTX_set_verify_cb() sets the verification callback of ctx to
37 verify_cb overwriting any existing callback.
38
39 The verification callback can be used to customise the operation of
40 certificate verification, either by overriding error conditions or
41 logging errors for debugging purposes.
42
43 However, a verification callback is not essential and the default
44 operation is often sufficient.
45
46 The ok parameter to the callback indicates the value the callback
47 should return to retain the default behaviour. If it is zero then an
48 error condition is indicated. If it is 1 then no error occurred. If the
49 flag X509_V_FLAG_NOTIFY_POLICY is set then ok is set to 2 to indicate
50 the policy checking is complete.
51
52 The ctx parameter to the callback is the X509_STORE_CTX structure that
53 is performing the verification operation. A callback can examine this
54 structure and receive additional information about the error, for
55 example by calling X509_STORE_CTX_get_current_cert(). Additional
56 application data can be passed to the callback via the ex_data
57 mechanism.
58
59 X509_STORE_CTX_get_verify_cb() returns the value of the current
60 callback for the specific ctx.
61
62 X509_STORE_CTX_get_get_issuer(), X509_STORE_CTX_get_check_issued(),
63 X509_STORE_CTX_get_check_revocation(), X509_STORE_CTX_get_get_crl(),
64 X509_STORE_CTX_get_check_crl(), X509_STORE_CTX_get_cert_crl(),
65 X509_STORE_CTX_get_check_policy(), X509_STORE_CTX_get_lookup_certs(),
66 X509_STORE_CTX_get_lookup_crls() and X509_STORE_CTX_get_cleanup()
67 return the function pointers cached from the corresponding X509_STORE,
68 please see X509_STORE_set_verify(3) for more information.
69
71 In general a verification callback should NOT unconditionally return 1
72 in all circumstances because this will allow verification to succeed no
73 matter what the error. This effectively removes all security from the
74 application because any certificate (including untrusted generated
75 ones) will be accepted.
76
78 The verification callback can be set and inherited from the parent
79 structure performing the operation. In some cases (such as S/MIME
80 verification) the X509_STORE_CTX structure is created and destroyed
81 internally and the only way to set a custom verification callback is by
82 inheriting it from the associated X509_STORE.
83
85 X509_STORE_CTX_set_verify_cb() does not return a value.
86
88 Default callback operation:
89
90 int verify_callback(int ok, X509_STORE_CTX *ctx) {
91 return ok;
92 }
93
94 Simple example, suppose a certificate in the chain is expired and we
95 wish to continue after this error:
96
97 int verify_callback(int ok, X509_STORE_CTX *ctx) {
98 /* Tolerate certificate expiration */
99 if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
100 return 1;
101 /* Otherwise don't override */
102 return ok;
103 }
104
105 More complex example, we don't wish to continue after any certificate
106 has expired just one specific case:
107
108 int verify_callback(int ok, X509_STORE_CTX *ctx)
109 {
110 int err = X509_STORE_CTX_get_error(ctx);
111 X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
112
113 if (err == X509_V_ERR_CERT_HAS_EXPIRED) {
114 if (check_is_acceptable_expired_cert(err_cert)
115 return 1;
116 }
117 return ok;
118 }
119
120 Full featured logging callback. In this case the bio_err is assumed to
121 be a global logging BIO, an alternative would to store a BIO in ctx
122 using ex_data.
123
124 int verify_callback(int ok, X509_STORE_CTX *ctx)
125 {
126 X509 *err_cert;
127 int err, depth;
128
129 err_cert = X509_STORE_CTX_get_current_cert(ctx);
130 err = X509_STORE_CTX_get_error(ctx);
131 depth = X509_STORE_CTX_get_error_depth(ctx);
132
133 BIO_printf(bio_err, "depth=%d ", depth);
134 if (err_cert) {
135 X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
136 0, XN_FLAG_ONELINE);
137 BIO_puts(bio_err, "\n");
138 }
139 else
140 BIO_puts(bio_err, "<no cert>\n");
141 if (!ok)
142 BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
143 X509_verify_cert_error_string(err));
144 switch (err) {
145 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
146 BIO_puts(bio_err, "issuer= ");
147 X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
148 0, XN_FLAG_ONELINE);
149 BIO_puts(bio_err, "\n");
150 break;
151 case X509_V_ERR_CERT_NOT_YET_VALID:
152 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
153 BIO_printf(bio_err, "notBefore=");
154 ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
155 BIO_printf(bio_err, "\n");
156 break;
157 case X509_V_ERR_CERT_HAS_EXPIRED:
158 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
159 BIO_printf(bio_err, "notAfter=");
160 ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
161 BIO_printf(bio_err, "\n");
162 break;
163 case X509_V_ERR_NO_EXPLICIT_POLICY:
164 policies_print(bio_err, ctx);
165 break;
166 }
167 if (err == X509_V_OK && ok == 2)
168 /* print out policies */
169
170 BIO_printf(bio_err, "verify return:%d\n", ok);
171 return(ok);
172 }
173
175 X509_STORE_CTX_get_error(3) X509_STORE_set_verify_cb_func(3)
176 X509_STORE_CTX_get_ex_new_index(3)
177
179 The X509_STORE_CTX_get_get_issuer(), X509_STORE_CTX_get_check_issued(),
180 X509_STORE_CTX_get_check_revocation(), X509_STORE_CTX_get_get_crl(),
181 X509_STORE_CTX_get_check_crl(), X509_STORE_CTX_get_cert_crl(),
182 X509_STORE_CTX_get_check_policy(), X509_STORE_CTX_get_lookup_certs(),
183 X509_STORE_CTX_get_lookup_crls() and X509_STORE_CTX_get_cleanup()
184 functions were added in OpenSSL 1.1.0.
185
187 Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
188
189 Licensed under the OpenSSL license (the "License"). You may not use
190 this file except in compliance with the License. You can obtain a copy
191 in the file LICENSE in the source distribution or at
192 <https://www.openssl.org/source/license.html>.
193
194
195
1961.1.1i 2021-07-22 X509_STORE_CTX_SET_VERIFY_CB(3)