1=pod 2 3=head1 NAME 4 5X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters 6 7=head1 SYNOPSIS 8 9 #include <openssl/x509_vfy.h> 10 11 int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); 12 int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, 13 unsigned long flags); 14 unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); 15 16 int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); 17 int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); 18 19 void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); 20 21 int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, 22 ASN1_OBJECT *policy); 23 int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 24 STACK_OF(ASN1_OBJECT) *policies); 25 26 void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); 27 int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); 28 29 int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, 30 const char *name, size_t namelen); 31 int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, 32 const char *name, size_t namelen); 33 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, 34 unsigned int flags); 35 char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); 36 int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, 37 const char *email, size_t emaillen); 38 int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, 39 const unsigned char *ip, size_t iplen); 40 int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc); 41 42=head1 DESCRIPTION 43 44These functions manipulate the B<X509_VERIFY_PARAM> structure associated with 45a certificate verification operation. 46 47The X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring 48it with B<flags>. See the B<VERIFICATION FLAGS> section for a complete 49description of values the B<flags> parameter can take. 50 51X509_VERIFY_PARAM_get_flags() returns the flags in B<param>. 52 53X509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>. 54 55X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param> 56to B<purpose>. This determines the acceptable purpose of the certificate 57chain, for example SSL client or SSL server. 58 59X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to 60B<trust>. 61 62X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to 63B<t>. Normally the current time is used. 64 65X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled 66by default) and adds B<policy> to the acceptable policy set. 67 68X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled 69by default) and sets the acceptable policy set to B<policies>. Any existing 70policy set is cleared. The B<policies> parameter can be B<NULL> to clear 71an existing policy set. 72 73X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B<depth>. 74That is the maximum number of untrusted CA certificates that can appear in a 75chain. 76 77X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to 78B<name> clearing any previously specified host name or names. If 79B<name> is NULL, or empty the list of hostnames is cleared, and 80name checks are not performed on the peer certificate. If B<name> 81is NUL-terminated, B<namelen> may be zero, otherwise B<namelen> 82must be set to the length of B<name>. When a hostname is specified, 83certificate verification automatically invokes L<X509_check_host(3)> 84with flags equal to the B<flags> argument given to 85B<X509_VERIFY_PARAM_set_hostflags()> (default zero). Applications 86are strongly advised to use this interface in preference to explicitly 87calling L<X509_check_host(3)>, hostname checks are out of scope 88with the DANE-EE(3) certificate usage, and the internal check will 89be suppressed as appropriate when DANE support is added to OpenSSL. 90 91X509_VERIFY_PARAM_add1_host() adds B<name> as an additional reference 92identifer that can match the peer's certificate. Any previous names 93set via X509_VERIFY_PARAM_set1_host() or X509_VERIFY_PARAM_add1_host() 94are retained, no change is made if B<name> is NULL or empty. When 95multiple names are configured, the peer is considered verified when 96any name matches. 97 98X509_VERIFY_PARAM_get0_peername() returns the DNS hostname or subject 99CommonName from the peer certificate that matched one of the reference 100identifiers. When wildcard matching is not disabled, or when a 101reference identifier specifies a parent domain (starts with ".") 102rather than a hostname, the peer name may be a wildcard name or a 103sub-domain of the reference identifier respectively. The return 104string is allocated by the library and is no longer valid once the 105associated B<param> argument is freed. Applications must not free 106the return value. 107 108X509_VERIFY_PARAM_set1_email() sets the expected RFC822 email address to 109B<email>. If B<email> is NUL-terminated, B<emaillen> may be zero, otherwise 110B<emaillen> must be set to the length of B<email>. When an email address 111is specified, certificate verification automatically invokes 112L<X509_check_email(3)>. 113 114X509_VERIFY_PARAM_set1_ip() sets the expected IP address to B<ip>. 115The B<ip> argument is in binary format, in network byte-order and 116B<iplen> must be set to 4 for IPv4 and 16 for IPv6. When an IP 117address is specified, certificate verification automatically invokes 118L<X509_check_ip(3)>. 119 120X509_VERIFY_PARAM_set1_ip_asc() sets the expected IP address to 121B<ipasc>. The B<ipasc> argument is a NUL-terminal ASCII string: 122dotted decimal quad for IPv4 and colon-separated hexadecimal for 123IPv6. The condensed "::" notation is supported for IPv6 addresses. 124 125=head1 RETURN VALUES 126 127X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), 128X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(), 129X509_VERIFY_PARAM_add0_policy() X509_VERIFY_PARAM_set1_policies(), 130X509_VERIFY_PARAM_set1_host(), X509_VERIFY_PARAM_set_hostflags(), 131X509_VERIFY_PARAM_set1_email(), X509_VERIFY_PARAM_set1_ip() and 132X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for 133failure. 134 135X509_VERIFY_PARAM_get_flags() returns the current verification flags. 136 137X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return 138values. 139 140X509_VERIFY_PARAM_get_depth() returns the current verification depth. 141 142=head1 VERIFICATION FLAGS 143 144The verification flags consists of zero or more of the following flags 145ored together. 146 147B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf 148certificate. An error occurs if a suitable CRL cannot be found. 149 150B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate 151chain. 152 153B<X509_V_FLAG_IGNORE_CRITICAL> disabled critical extension checking. By default 154any unhandled critical extensions in certificates or (if checked) CRLs results 155in a fatal error. If this flag is set unhandled critical extensions are 156ignored. B<WARNING> setting this option for anything other than debugging 157purposes can be a security risk. Finer control over which extensions are 158supported can be performed in the verification callback. 159 160THe B<X509_V_FLAG_X509_STRICT> flag disables workarounds for some broken 161certificates and makes the verification strictly apply B<X509> rules. 162 163B<X509_V_FLAG_ALLOW_PROXY_CERTS> enables proxy certificate verification. 164 165B<X509_V_FLAG_POLICY_CHECK> enables certificate policy checking, by default 166no policy checking is peformed. Additional information is sent to the 167verification callback relating to policy checking. 168 169B<X509_V_FLAG_EXPLICIT_POLICY>, B<X509_V_FLAG_INHIBIT_ANY> and 170B<X509_V_FLAG_INHIBIT_MAP> set the B<require explicit policy>, B<inhibit any 171policy> and B<inhibit policy mapping> flags respectively as defined in 172B<RFC3280>. Policy checking is automatically enabled if any of these flags 173are set. 174 175If B<X509_V_FLAG_NOTIFY_POLICY> is set and the policy checking is successful 176a special status code is set to the verification callback. This permits it 177to examine the valid policy tree and perform additional checks or simply 178log it for debugging purposes. 179 180By default some additional features such as indirect CRLs and CRLs signed by 181different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set 182they are enabled. 183 184If B<X509_V_FLAG_USE_DELTAS> ise set delta CRLs (if present) are used to 185determine certificate status. If not set deltas are ignored. 186 187B<X509_V_FLAG_CHECK_SS_SIGNATURE> enables checking of the root CA self signed 188cerificate signature. By default this check is disabled because it doesn't 189add any additional security but in some cases applications might want to 190check the signature anyway. A side effect of not checking the root CA 191signature is that disabled or unsupported message digests on the root CA 192are not treated as fatal errors. 193 194The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate 195issuer checks. It is B<not> needed unless you are logging certificate 196verification. If this flag is set then additional status codes will be sent 197to the verification callback and it B<must> be prepared to handle such cases 198without assuming they are hard errors. 199 200The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative 201chains. By default, when building a certificate chain, if the first certificate 202chain found is not trusted, then OpenSSL will continue to check to see if an 203alternative chain can be found that is trusted. With this flag set the behaviour 204will match that of OpenSSL versions prior to 1.0.2b. 205 206=head1 NOTES 207 208The above functions should be used to manipulate verification parameters 209instead of legacy functions which work in specific structures such as 210X509_STORE_CTX_set_flags(). 211 212=head1 BUGS 213 214Delta CRL checking is currently primitive. Only a single delta can be used and 215(partly due to limitations of B<X509_STORE>) constructed CRLs are not 216maintained. 217 218If CRLs checking is enable CRLs are expected to be available in the 219corresponding B<X509_STORE> structure. No attempt is made to download 220CRLs from the CRL distribution points extension. 221 222=head1 EXAMPLE 223 224Enable CRL checking when performing certificate verification during SSL 225connections associated with an B<SSL_CTX> structure B<ctx>: 226 227 X509_VERIFY_PARAM *param; 228 param = X509_VERIFY_PARAM_new(); 229 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); 230 SSL_CTX_set1_param(ctx, param); 231 X509_VERIFY_PARAM_free(param); 232 233=head1 SEE ALSO 234 235L<X509_verify_cert(3)|X509_verify_cert(3)>, 236L<X509_check_host(3)|X509_check_host(3)>, 237L<X509_check_email(3)|X509_check_email(3)>, 238L<X509_check_ip(3)|X509_check_ip(3)> 239 240=head1 HISTORY 241 242The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.0.2b 243 244=cut 245