1X509_STORE_CTX_SET_VERIFY_CB(3)     OpenSSL    X509_STORE_CTX_SET_VERIFY_CB(3)
2
3
4

NAME

6       X509_STORE_CTX_get_cleanup, X509_STORE_CTX_get_lookup_crls,
7       X509_STORE_CTX_get_lookup_certs, X509_STORE_CTX_get_check_policy,
8       X509_STORE_CTX_get_cert_crl, X509_STORE_CTX_get_check_crl,
9       X509_STORE_CTX_get_get_crl, X509_STORE_CTX_get_check_revocation,
10       X509_STORE_CTX_get_check_issued, X509_STORE_CTX_get_get_issuer,
11       X509_STORE_CTX_get_verify_cb, X509_STORE_CTX_set_verify_cb,
12       X509_STORE_CTX_verify_cb - get and set verification callback
13

SYNOPSIS

15        #include <openssl/x509_vfy.h>
16
17        typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
18
19        X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx);
20
21        void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
22                                          X509_STORE_CTX_verify_cb verify_cb);
23
24        X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx);
25        X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);
26        X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx);
27        X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx);
28        X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx);
29        X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx);
30        X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx);
31        X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx);
32        X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx);
33        X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx);
34

DESCRIPTION

36       X509_STORE_CTX_set_verify_cb() sets the verification callback of ctx to
37       verify_cb overwriting any existing callback.
38
39       The verification callback can be used to customise the operation of
40       certificate verification, either by overriding error conditions or
41       logging errors for debugging purposes.
42
43       However, a verification callback is not essential and the default
44       operation is often sufficient.
45
46       The ok parameter to the callback indicates the value the callback
47       should return to retain the default behaviour. If it is zero then an
48       error condition is indicated. If it is 1 then no error occurred. If the
49       flag X509_V_FLAG_NOTIFY_POLICY is set then ok is set to 2 to indicate
50       the policy checking is complete.
51
52       The ctx parameter to the callback is the X509_STORE_CTX structure that
53       is performing the verification operation. A callback can examine this
54       structure and receive additional information about the error, for
55       example by calling X509_STORE_CTX_get_current_cert(). Additional
56       application data can be passed to the callback via the ex_data
57       mechanism.
58
59       X509_STORE_CTX_get_verify_cb() returns the value of the current
60       callback for the specific ctx.
61
62       X509_STORE_CTX_get_get_issuer(), X509_STORE_CTX_get_check_issued(),
63       X509_STORE_CTX_get_check_revocation(), X509_STORE_CTX_get_get_crl(),
64       X509_STORE_CTX_get_check_crl(), X509_STORE_CTX_get_cert_crl(),
65       X509_STORE_CTX_get_check_policy(), X509_STORE_CTX_get_lookup_certs(),
66       X509_STORE_CTX_get_lookup_crls() and X509_STORE_CTX_get_cleanup()
67       return the function pointers cached from the corresponding X509_STORE,
68       please see X509_STORE_set_verify(3) for more information.
69

WARNINGS

71       In general a verification callback should NOT unconditionally return 1
72       in all circumstances because this will allow verification to succeed no
73       matter what the error. This effectively removes all security from the
74       application because any certificate (including untrusted generated
75       ones) will be accepted.
76

NOTES

78       The verification callback can be set and inherited from the parent
79       structure performing the operation. In some cases (such as S/MIME
80       verification) the X509_STORE_CTX structure is created and destroyed
81       internally and the only way to set a custom verification callback is by
82       inheriting it from the associated X509_STORE.
83

RETURN VALUES

85       X509_STORE_CTX_set_verify_cb() does not return a value.
86

EXAMPLES

88       Default callback operation:
89
90        int verify_callback(int ok, X509_STORE_CTX *ctx) {
91            return ok;
92        }
93
94       Simple example, suppose a certificate in the chain is expired and we
95       wish to continue after this error:
96
97        int verify_callback(int ok, X509_STORE_CTX *ctx) {
98            /* Tolerate certificate expiration */
99            if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
100                return 1;
101            /* Otherwise don't override */
102            return ok;
103        }
104
105       More complex example, we don't wish to continue after any certificate
106       has expired just one specific case:
107
108        int verify_callback(int ok, X509_STORE_CTX *ctx)
109        {
110            int err = X509_STORE_CTX_get_error(ctx);
111            X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
112
113            if (err == X509_V_ERR_CERT_HAS_EXPIRED) {
114                if (check_is_acceptable_expired_cert(err_cert)
115                    return 1;
116            }
117            return ok;
118        }
119
120       Full featured logging callback. In this case the bio_err is assumed to
121       be a global logging BIO, an alternative would to store a BIO in ctx
122       using ex_data.
123
124        int verify_callback(int ok, X509_STORE_CTX *ctx)
125        {
126            X509 *err_cert;
127            int err, depth;
128
129            err_cert = X509_STORE_CTX_get_current_cert(ctx);
130            err = X509_STORE_CTX_get_error(ctx);
131            depth = X509_STORE_CTX_get_error_depth(ctx);
132
133            BIO_printf(bio_err, "depth=%d ", depth);
134            if (err_cert) {
135                X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
136                                   0, XN_FLAG_ONELINE);
137                BIO_puts(bio_err, "\n");
138            }
139            else
140                BIO_puts(bio_err, "<no cert>\n");
141            if (!ok)
142                BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
143                           X509_verify_cert_error_string(err));
144            switch (err) {
145            case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
146                BIO_puts(bio_err, "issuer= ");
147                X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
148                                   0, XN_FLAG_ONELINE);
149                BIO_puts(bio_err, "\n");
150                break;
151            case X509_V_ERR_CERT_NOT_YET_VALID:
152            case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
153                BIO_printf(bio_err, "notBefore=");
154                ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
155                BIO_printf(bio_err, "\n");
156                break;
157            case X509_V_ERR_CERT_HAS_EXPIRED:
158            case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
159                BIO_printf(bio_err, "notAfter=");
160                ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
161                BIO_printf(bio_err, "\n");
162                break;
163            case X509_V_ERR_NO_EXPLICIT_POLICY:
164                policies_print(bio_err, ctx);
165                break;
166            }
167            if (err == X509_V_OK && ok == 2)
168                /* print out policies */
169
170            BIO_printf(bio_err, "verify return:%d\n", ok);
171            return(ok);
172        }
173

SEE ALSO

175       X509_STORE_CTX_get_error(3) X509_STORE_set_verify_cb_func(3)
176       X509_STORE_CTX_get_ex_new_index(3)
177

HISTORY

179       The X509_STORE_CTX_get_get_issuer(), X509_STORE_CTX_get_check_issued(),
180       X509_STORE_CTX_get_check_revocation(), X509_STORE_CTX_get_get_crl(),
181       X509_STORE_CTX_get_check_crl(), X509_STORE_CTX_get_cert_crl(),
182       X509_STORE_CTX_get_check_policy(), X509_STORE_CTX_get_lookup_certs(),
183       X509_STORE_CTX_get_lookup_crls() and X509_STORE_CTX_get_cleanup()
184       functions were added in OpenSSL 1.1.0.
185
187       Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
188
189       Licensed under the OpenSSL license (the "License").  You may not use
190       this file except in compliance with the License.  You can obtain a copy
191       in the file LICENSE in the source distribution or at
192       <https://www.openssl.org/source/license.html>.
193
194
195
1961.1.1i                            2021-07-22   X509_STORE_CTX_SET_VERIFY_CB(3)
Impressum