manpagez: man pages & more
man X509_STORE_CTX_verify(3)
Home | html | info | man
X509_VERIFY_CERT(3ossl)             OpenSSL            X509_VERIFY_CERT(3ossl)



NAME

       X509_build_chain, X509_verify_cert, X509_STORE_CTX_verify - build and
       verify X509 certificate chain


SYNOPSIS

        #include <openssl/x509_vfy.h>

        STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs,
                                         X509_STORE *store, int with_self_signed,
                                         OSSL_LIB_CTX *libctx, const char *propq);
        int X509_verify_cert(X509_STORE_CTX *ctx);
        int X509_STORE_CTX_verify(X509_STORE_CTX *ctx);


DESCRIPTION

       X509_build_chain() builds a certificate chain starting from target
       using the optional list of intermediate CA certificates certs.  If
       store is NULL it builds the chain as far down as possible, ignoring
       errors.  Else the chain must reach a trust anchor contained in store.
       It internally uses a X509_STORE_CTX structure associated with the
       library context libctx and property query string propq, both of which
       may be NULL.  In case there is more than one possibility for the chain,
       only one is taken.

       On success it returns a pointer to a new stack of (up_ref'ed)
       certificates starting with target and followed by all available
       intermediate certificates.  A self-signed trust anchor is included only
       if target is the trust anchor of with_self_signed is 1.  If a non-NULL
       stack is returned the caller is responsible for freeing it.

       The X509_verify_cert(3) function attempts to discover and validate a
       certificate chain based on parameters in ctx.  The verification
       context, of type X509_STORE_CTX, can be constructed using
       X509_STORE_CTX_new(3) and X509_STORE_CTX_init(3).  It usually includes
       a target certificate to be verified, a set of certificates serving as
       trust anchors, a list of non-trusted certificates that may be helpful
       for chain construction, flags such as X509_V_FLAG_X509_STRICT, and
       various other optional components such as a callback function that
       allows customizing the verification outcome.  A complete description of
       the certificate verification process is contained in the
       openssl-verification-options(1) manual page.

       Applications rarely call this function directly but it is used by
       OpenSSL internally for certificate validation, in both the S/MIME and
       SSL/TLS code.

       A negative return value from X509_verify_cert(3) can occur if it is
       invoked incorrectly, such as with no certificate set in ctx, or when it
       is called twice in succession without reinitialising ctx for the second
       call.  A negative return value can also happen due to internal resource
       problems or because an internal inconsistency has been detected.
       Applications must interpret any return value <= 0 as an error.

       The X509_verify_cert(3) except that
       its target certificate is the first element of the list of untrusted
       certificates in ctx unless a target certificate is set explicitly.

       When the verification target is a raw public key, rather than a
       certificate, both functions validate the target raw public key.  In
       that case the number of possible checks is significantly reduced.  The
       raw public key can be authenticated only via DANE TLSA records, either
       locally synthesised or obtained by the application from DNS.  Raw
       public key DANE TLSA records may be added via SSL_add_expected_rpk(3)
       or SSL_dane_tlsa_add(3).


RETURN VALUES

       X509_build_chain() returns NULL on error, else a stack of certificates.

       Both X509_verify_cert(3) and X509_STORE_CTX_verify() return 1 if a
       complete chain can be built and validated, otherwise they return 0, and
       in exceptional circumstances (such as malloc failure and internal
       errors) they can also return a negative code.

       If a complete chain can be built and validated both functions return 1.
       If the certificate must be rejected on the basis of the data available
       or any required certificate status data is not available they return 0.
       If no definite answer possible they usually return a negative code.

       On error or failure additional error information can be obtained by
       examining ctx using, for example, X509_STORE_CTX_get_error(3).  Even if
       verification indicated success, the stored error code may be different
       from X509_V_OK, likely because a verification callback function has
       waived the error.


SEE ALSO

       SSL_add_expected_rpk(3), SSL_CTX_dane_enable(3), SSL_dane_tlsa_add(3),
       X509_STORE_CTX_new(3), X509_STORE_CTX_init(3),
       X509_STORE_CTX_init_rpk(3), X509_STORE_CTX_get_error(3)


HISTORY

       X509_build_chain() and X509_STORE_CTX_verify() were added in OpenSSL
       3.0.


COPYRIGHT

       Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.

       Licensed under the Apache License 2.0 (the "License").  You may not use
       this file except in compliance with the License.  You can obtain a copy
       in the file LICENSE in the source distribution or at
       <https://www.openssl.org/source/license.html>.

3.3.2                             2024-09-04           X509_VERIFY_CERT(3ossl)

openssl 3.3.2 - Generated Sun Sep 29 07:42:34 CDT 2024
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.