X509_VERIFY_PARAM_set_flags.pod revision 331638
1=pod 2 3=head1 NAME 4 5X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters 6 7=head1 SYNOPSIS 8 9 #include <openssl/x509_vfy.h> 10 11 int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); 12 int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, 13 unsigned long flags); 14 unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); 15 16 int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); 17 int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); 18 19 void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); 20 21 int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, 22 ASN1_OBJECT *policy); 23 int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 24 STACK_OF(ASN1_OBJECT) *policies); 25 26 void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); 27 int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); 28 29 int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, 30 const char *name, size_t namelen); 31 int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, 32 const char *name, size_t namelen); 33 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, 34 unsigned int flags); 35 char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); 36 int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, 37 const char *email, size_t emaillen); 38 int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, 39 const unsigned char *ip, size_t iplen); 40 int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc); 41 42=head1 DESCRIPTION 43 44These functions manipulate the B<X509_VERIFY_PARAM> structure associated with 45a certificate verification operation. 46 47The X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring 48it with B<flags>. See the B<VERIFICATION FLAGS> section for a complete 49description of values the B<flags> parameter can take. 50 51X509_VERIFY_PARAM_get_flags() returns the flags in B<param>. 52 53X509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>. 54 55X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param> 56to B<purpose>. This determines the acceptable purpose of the certificate 57chain, for example SSL client or SSL server. 58 59X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to 60B<trust>. 61 62X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to 63B<t>. Normally the current time is used. 64 65X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled 66by default) and adds B<policy> to the acceptable policy set. 67 68X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled 69by default) and sets the acceptable policy set to B<policies>. Any existing 70policy set is cleared. The B<policies> parameter can be B<NULL> to clear 71an existing policy set. 72 73X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B<depth>. 74That is the maximum number of untrusted CA certificates that can appear in a 75chain. 76 77X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to 78B<name> clearing any previously specified host name or names. If 79B<name> is NULL, or empty the list of hostnames is cleared, and 80name checks are not performed on the peer certificate. If B<name> 81is NUL-terminated, B<namelen> may be zero, otherwise B<namelen> 82must be set to the length of B<name>. When a hostname is specified, 83certificate verification automatically invokes L<X509_check_host(3)> 84with flags equal to the B<flags> argument given to 85B<X509_VERIFY_PARAM_set_hostflags()> (default zero). Applications 86are strongly advised to use this interface in preference to explicitly 87calling L<X509_check_host(3)>, hostname checks are out of scope 88with the DANE-EE(3) certificate usage, and the internal check will 89be suppressed as appropriate when DANE support is added to OpenSSL. 90 91X509_VERIFY_PARAM_add1_host() adds B<name> as an additional reference 92identifer that can match the peer's certificate. Any previous names 93set via X509_VERIFY_PARAM_set1_host() or X509_VERIFY_PARAM_add1_host() 94are retained, no change is made if B<name> is NULL or empty. When 95multiple names are configured, the peer is considered verified when 96any name matches. 97 98X509_VERIFY_PARAM_get0_peername() returns the DNS hostname or subject 99CommonName from the peer certificate that matched one of the reference 100identifiers. When wildcard matching is not disabled, or when a 101reference identifier specifies a parent domain (starts with ".") 102rather than a hostname, the peer name may be a wildcard name or a 103sub-domain of the reference identifier respectively. The return 104string is allocated by the library and is no longer valid once the 105associated B<param> argument is freed. Applications must not free 106the return value. 107 108X509_VERIFY_PARAM_set1_email() sets the expected RFC822 email address to 109B<email>. If B<email> is NUL-terminated, B<emaillen> may be zero, otherwise 110B<emaillen> must be set to the length of B<email>. When an email address 111is specified, certificate verification automatically invokes 112L<X509_check_email(3)>. 113 114X509_VERIFY_PARAM_set1_ip() sets the expected IP address to B<ip>. 115The B<ip> argument is in binary format, in network byte-order and 116B<iplen> must be set to 4 for IPv4 and 16 for IPv6. When an IP 117address is specified, certificate verification automatically invokes 118L<X509_check_ip(3)>. 119 120X509_VERIFY_PARAM_set1_ip_asc() sets the expected IP address to 121B<ipasc>. The B<ipasc> argument is a NUL-terminal ASCII string: 122dotted decimal quad for IPv4 and colon-separated hexadecimal for 123IPv6. The condensed "::" notation is supported for IPv6 addresses. 124 125=head1 RETURN VALUES 126 127X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), 128X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(), 129X509_VERIFY_PARAM_add0_policy() X509_VERIFY_PARAM_set1_policies(), 130X509_VERIFY_PARAM_set1_host(), X509_VERIFY_PARAM_set_hostflags(), 131X509_VERIFY_PARAM_set1_email(), X509_VERIFY_PARAM_set1_ip() and 132X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for 133failure. 134 135X509_VERIFY_PARAM_get_flags() returns the current verification flags. 136 137X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return 138values. 139 140X509_VERIFY_PARAM_get_depth() returns the current verification depth. 141 142=head1 VERIFICATION FLAGS 143 144The verification flags consists of zero or more of the following flags 145ored together. 146 147B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf 148certificate. An error occurs if a suitable CRL cannot be found. 149 150B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate 151chain. 152 153B<X509_V_FLAG_IGNORE_CRITICAL> disabled critical extension checking. By default 154any unhandled critical extensions in certificates or (if checked) CRLs results 155in a fatal error. If this flag is set unhandled critical extensions are 156ignored. B<WARNING> setting this option for anything other than debugging 157purposes can be a security risk. Finer control over which extensions are 158supported can be performed in the verification callback. 159 160THe B<X509_V_FLAG_X509_STRICT> flag disables workarounds for some broken 161certificates and makes the verification strictly apply B<X509> rules. 162 163B<X509_V_FLAG_ALLOW_PROXY_CERTS> enables proxy certificate verification. 164 165B<X509_V_FLAG_POLICY_CHECK> enables certificate policy checking, by default 166no policy checking is peformed. Additional information is sent to the 167verification callback relating to policy checking. 168 169B<X509_V_FLAG_EXPLICIT_POLICY>, B<X509_V_FLAG_INHIBIT_ANY> and 170B<X509_V_FLAG_INHIBIT_MAP> set the B<require explicit policy>, B<inhibit any 171policy> and B<inhibit policy mapping> flags respectively as defined in 172B<RFC3280>. Policy checking is automatically enabled if any of these flags 173are set. 174 175If B<X509_V_FLAG_NOTIFY_POLICY> is set and the policy checking is successful 176a special status code is set to the verification callback. This permits it 177to examine the valid policy tree and perform additional checks or simply 178log it for debugging purposes. 179 180By default some additional features such as indirect CRLs and CRLs signed by 181different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set 182they are enabled. 183 184If B<X509_V_FLAG_USE_DELTAS> ise set delta CRLs (if present) are used to 185determine certificate status. If not set deltas are ignored. 186 187B<X509_V_FLAG_CHECK_SS_SIGNATURE> enables checking of the root CA self signed 188cerificate signature. By default this check is disabled because it doesn't 189add any additional security but in some cases applications might want to 190check the signature anyway. A side effect of not checking the root CA 191signature is that disabled or unsupported message digests on the root CA 192are not treated as fatal errors. 193 194The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate 195issuer checks. It is B<not> needed unless you are logging certificate 196verification. If this flag is set then additional status codes will be sent 197to the verification callback and it B<must> be prepared to handle such cases 198without assuming they are hard errors. 199 200The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative 201chains. By default, when building a certificate chain, if the first certificate 202chain found is not trusted, then OpenSSL will continue to check to see if an 203alternative chain can be found that is trusted. With this flag set the behaviour 204will match that of OpenSSL versions prior to 1.0.2b. 205 206The B<X509_V_FLAG_TRUSTED_FIRST> flag causes chain construction to look for 207issuers in the trust store before looking at the untrusted certificates 208provided as part of the the peer chain. 209Though it is not on by default in OpenSSL 1.0.2, applications should generally 210set this flag. 211Local issuer certificates are often more likely to satisfy local security 212requirements and lead to a locally trusted root. 213This is especially important When some certificates in the trust store have 214explicit trust settings (see "TRUST SETTINGS" in L<x509(1)>). 215 216The B<X509_V_FLAG_PARTIAL_CHAIN> flag causes intermediate certificates in the 217trust store to be treated as trust-anchors, in the same way as the self-signed 218root CA certificates. 219This makes it possible to trust certificates issued by an intermediate CA 220without having to trust its ancestor root CA. 221With OpenSSL 1.0.2, chain construction continues as long as there are 222additional trusted issuers in the trust store, and the last trusted issuer 223becomes the trust-anchor. 224Thus, even when an intermediate certificate is found in the trust store, the 225verified chain passed to callbacks may still be anchored by a root CA. 226 227=head1 NOTES 228 229The above functions should be used to manipulate verification parameters 230instead of legacy functions which work in specific structures such as 231X509_STORE_CTX_set_flags(). 232 233=head1 BUGS 234 235Delta CRL checking is currently primitive. Only a single delta can be used and 236(partly due to limitations of B<X509_STORE>) constructed CRLs are not 237maintained. 238 239If CRLs checking is enable CRLs are expected to be available in the 240corresponding B<X509_STORE> structure. No attempt is made to download 241CRLs from the CRL distribution points extension. 242 243=head1 EXAMPLE 244 245Enable CRL checking when performing certificate verification during SSL 246connections associated with an B<SSL_CTX> structure B<ctx>: 247 248 X509_VERIFY_PARAM *param; 249 param = X509_VERIFY_PARAM_new(); 250 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); 251 SSL_CTX_set1_param(ctx, param); 252 X509_VERIFY_PARAM_free(param); 253 254=head1 SEE ALSO 255 256L<X509_verify_cert(3)|X509_verify_cert(3)>, 257L<X509_check_host(3)|X509_check_host(3)>, 258L<X509_check_email(3)|X509_check_email(3)>, 259L<X509_check_ip(3)|X509_check_ip(3)>, 260L<x509(1)|x509(1)> 261 262=head1 HISTORY 263 264The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.0.2b 265 266=cut 267