1=pod 2 3=head1 NAME 4 5X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509 verification parameters 6 7=head1 SYNOPSIS 8 9 #include <openssl/x509_vfy.h> 10 11 int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); 12 int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, 13 unsigned long flags); 14 unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); 15 16 int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); 17 int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); 18 19 void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); 20 21 int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, 22 ASN1_OBJECT *policy); 23 int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 24 STACK_OF(ASN1_OBJECT) *policies); 25 26 void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); 27 int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); 28 29=head1 DESCRIPTION 30 31These functions manipulate the B<X509_VERIFY_PARAM> structure associated with 32a certificate verification operation. 33 34The X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring 35it with B<flags>. See the B<VERIFICATION FLAGS> section for a complete 36description of values the B<flags> parameter can take. 37 38X509_VERIFY_PARAM_get_flags() returns the flags in B<param>. 39 40X509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>. 41 42X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param> 43to B<purpose>. This determines the acceptable purpose of the certificate 44chain, for example SSL client or SSL server. 45 46X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to 47B<trust>. 48 49X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to 50B<t>. Normally the current time is used. 51 52X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled 53by default) and adds B<policy> to the acceptable policy set. 54 55X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled 56by default) and sets the acceptable policy set to B<policies>. Any existing 57policy set is cleared. The B<policies> parameter can be B<NULL> to clear 58an existing policy set. 59 60X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B<depth>. 61That is the maximum number of untrusted CA certificates that can appear in a 62chain. 63 64=head1 RETURN VALUES 65 66X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), 67X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(), 68X509_VERIFY_PARAM_add0_policy() and X509_VERIFY_PARAM_set1_policies() return 1 69for success and 0 for failure. 70 71X509_VERIFY_PARAM_get_flags() returns the current verification flags. 72 73X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return 74values. 75 76X509_VERIFY_PARAM_get_depth() returns the current verification depth. 77 78=head1 VERIFICATION FLAGS 79 80The verification flags consists of zero or more of the following flags 81ored together. 82 83B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf 84certificate. An error occurs if a suitable CRL cannot be found. 85 86B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate 87chain. 88 89B<X509_V_FLAG_IGNORE_CRITICAL> disabled critical extension checking. By default 90any unhandled critical extensions in certificates or (if checked) CRLs results 91in a fatal error. If this flag is set unhandled critical extensions are 92ignored. B<WARNING> setting this option for anything other than debugging 93purposes can be a security risk. Finer control over which extensions are 94supported can be performed in the verification callback. 95 96THe B<X509_V_FLAG_X509_STRICT> flag disables workarounds for some broken 97certificates and makes the verification strictly apply B<X509> rules. 98 99B<X509_V_FLAG_ALLOW_PROXY_CERTS> enables proxy certificate verification. 100 101B<X509_V_FLAG_POLICY_CHECK> enables certificate policy checking, by default 102no policy checking is peformed. Additional information is sent to the 103verification callback relating to policy checking. 104 105B<X509_V_FLAG_EXPLICIT_POLICY>, B<X509_V_FLAG_INHIBIT_ANY> and 106B<X509_V_FLAG_INHIBIT_MAP> set the B<require explicit policy>, B<inhibit any 107policy> and B<inhibit policy mapping> flags respectively as defined in 108B<RFC3280>. Policy checking is automatically enabled if any of these flags 109are set. 110 111If B<X509_V_FLAG_NOTIFY_POLICY> is set and the policy checking is successful 112a special status code is set to the verification callback. This permits it 113to examine the valid policy tree and perform additional checks or simply 114log it for debugging purposes. 115 116By default some additional features such as indirect CRLs and CRLs signed by 117different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set 118they are enabled. 119 120If B<X509_V_FLAG_USE_DELTAS> ise set delta CRLs (if present) are used to 121determine certificate status. If not set deltas are ignored. 122 123B<X509_V_FLAG_CHECK_SS_SIGNATURE> enables checking of the root CA self signed 124cerificate signature. By default this check is disabled because it doesn't 125add any additional security but in some cases applications might want to 126check the signature anyway. A side effect of not checking the root CA 127signature is that disabled or unsupported message digests on the root CA 128are not treated as fatal errors. 129 130The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate 131issuer checks. It is B<not> needed unless you are logging certificate 132verification. If this flag is set then additional status codes will be sent 133to the verification callback and it B<must> be prepared to handle such cases 134without assuming they are hard errors. 135 136=head1 NOTES 137 138The above functions should be used to manipulate verification parameters 139instead of legacy functions which work in specific structures such as 140X509_STORE_CTX_set_flags(). 141 142=head1 BUGS 143 144Delta CRL checking is currently primitive. Only a single delta can be used and 145(partly due to limitations of B<X509_STORE>) constructed CRLs are not 146maintained. 147 148If CRLs checking is enable CRLs are expected to be available in the 149corresponding B<X509_STORE> structure. No attempt is made to download 150CRLs from the CRL distribution points extension. 151 152=head1 EXAMPLE 153 154Enable CRL checking when performing certificate verification during SSL 155connections associated with an B<SSL_CTX> structure B<ctx>: 156 157 X509_VERIFY_PARAM *param; 158 param = X509_VERIFY_PARAM_new(); 159 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); 160 SSL_CTX_set1_param(ctx, param); 161 X509_VERIFY_PARAM_free(param); 162 163=head1 SEE ALSO 164 165L<X509_verify_cert(3)|X509_verify_cert(3)> 166 167=head1 HISTORY 168 169TBA 170 171=cut 172