X509_STORE_CTX_SET_VERIF(3) Library Functions ManualX509_STORE_CTX_SET_VERIF(3)
NAME
X509_STORE_CTX_verify_fn, X509_STORE_CTX_set_verify, X509_STORE_CTX_get_verify, X509_STORE_set_verify, X509_STORE_set_verify_func, X509_STORE_get_verify, X509_STORE_CTX_check_issued_fn, X509_STORE_set_check_issued, X509_STORE_get_check_issued, X509_STORE_CTX_get_check_issued — user-defined certificate chain verification function
SYNOPSIS
#include <openssl/x509_vfy.h>
typedef int
(*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *ctx);
void
X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);
X509_STORE_CTX_verify_fn
X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx);
void
X509_STORE_set_verify(X509_STORE *store, X509_STORE_CTX_verify_fn verify);
void
X509_STORE_set_verify_func(X509_STORE *store, X509_STORE_CTX_verify_fn verify);
X509_STORE_CTX_verify_fn
X509_STORE_get_verify(X509_STORE_CTX *ctx);
typedef int
(*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer);
void
X509_STORE_set_check_issued(X509_STORE *store, X509_STORE_CTX_check_issued_fn check_issued);
X509_STORE_CTX_check_issued_fn
X509_STORE_get_check_issued(X509_STORE *store);
X509_STORE_CTX_check_issued_fn
X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);
DESCRIPTION
X509_STORE_CTX_set_verify() configures ctx to use the verify argument as the X.509 certificate chain verification function instead of the default verification function built into the library when X509_verify_cert(3) is called.
The verify function provided by the user is only called if the X509_V_FLAG_LEGACY_VERIFY or X509_V_FLAG_NO_ALT_CHAINS flag was set on ctx using X509_STORE_CTX_set_flags(3) or X509_VERIFY_PARAM_set_flags(3). Otherwise, it is ignored and a different algorithm is used that does not support replacing the verification function.
X509_STORE_set_verify() saves the function pointer verify in the given store object. That pointer will be copied to an X509_STORE_CTX object when store is later passed as an argument to X509_STORE_CTX_init(3).
X509_STORE_set_verify_func() is an alias for X509_STORE_set_verify() implemented as a macro.
X509_STORE_set_check_issued() saves the function pointer check_issued in the given store object. That pointer will be copied to an X509_STORE_CTX object when store is later passed as an argument to X509_STORE_CTX_init(3).
The check_issued function provided by the user should check whether a given certificate subject was issued using the CA certificate issuer, and must return 0 on failure and 1 on success.
RETURN VALUES
X509_STORE_CTX_verify_fn() is supposed to return 1 to indicate that the chain is valid or 0 if it is not or if an error occurred.
X509_STORE_CTX_get_verify() returns a function pointer previously set with X509_STORE_CTX_set_verify() or X509_STORE_CTX_init(3), or NULL if ctx is uninitialized.
X509_STORE_get_verify() returns the function pointer previously set with X509_STORE_set_verify(), or NULL if that function was not called on the store.
X509_STORE_get_check_issued() returns the function pointer previously set with X509_STORE_set_check_issued(), or NULL if that function was not called on the store.
X509_STORE_CTX_get_check_issued() returns the check_issued() function pointer set on the X509_STORE_CTX. This is either the check_issued() function inherited from the store used in X509_STORE_CTX_init(3) or the library’s default implementation.
SEE ALSO
X509_check_issued(3), X509_STORE_CTX_init(3), X509_STORE_CTX_set_error(3), X509_STORE_CTX_set_flags(3), X509_STORE_CTX_set_verify_cb(3), X509_STORE_new(3), X509_STORE_set_flags(3), X509_STORE_set_verify_cb(3), X509_verify_cert(3), X509_VERIFY_PARAM_set_flags(3)
HISTORY
X509_STORE_set_verify_func() first appeared in SSLeay 0.8.0 and has been available since OpenBSD 2.4.
X509_STORE_CTX_set_verify() and X509_STORE_CTX_get_verify() first appeared in OpenSSL 1.1.0 and have been available since OpenBSD 7.1.
X509_STORE_CTX_verify_fn(), X509_STORE_set_verify(), and X509_STORE_get_verify() first appeared in OpenSSL 1.1.0 and have been available since OpenBSD 7.2.
X509_STORE_set_check_issued(), X509_STORE_get_check_issued(), and X509_STORE_CTX_get_check_issued() first appeared in OpenSSL 1.1.0 and have been available since OpenBSD 7.3. GNU August 10, 2023 X509_STORE_CTX_SET_VERIFY(3)