1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5e71b7053SJung-uk KimSSL_get_peer_cert_chain, SSL_get0_verified_chain - get the X509 certificate 6e71b7053SJung-uk Kimchain of the peer 7e71b7053SJung-uk Kim 8e71b7053SJung-uk Kim=head1 SYNOPSIS 9e71b7053SJung-uk Kim 10e71b7053SJung-uk Kim #include <openssl/ssl.h> 11e71b7053SJung-uk Kim 12e71b7053SJung-uk Kim STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); 13e71b7053SJung-uk Kim STACK_OF(X509) *SSL_get0_verified_chain(const SSL *ssl); 14e71b7053SJung-uk Kim 15e71b7053SJung-uk Kim=head1 DESCRIPTION 16e71b7053SJung-uk Kim 17e71b7053SJung-uk KimSSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates 18e71b7053SJung-uk Kimforming the certificate chain sent by the peer. If called on the client side, 19e71b7053SJung-uk Kimthe stack also contains the peer's certificate; if called on the server 20e71b7053SJung-uk Kimside, the peer's certificate must be obtained separately using 21e71b7053SJung-uk KimL<SSL_get_peer_certificate(3)>. 22e71b7053SJung-uk KimIf the peer did not present a certificate, NULL is returned. 23e71b7053SJung-uk Kim 24e71b7053SJung-uk KimNB: SSL_get_peer_cert_chain() returns the peer chain as sent by the peer: it 25e71b7053SJung-uk Kimonly consists of certificates the peer has sent (in the order the peer 26e71b7053SJung-uk Kimhas sent them) it is B<not> a verified chain. 27e71b7053SJung-uk Kim 28e71b7053SJung-uk KimSSL_get0_verified_chain() returns the B<verified> certificate chain 29e71b7053SJung-uk Kimof the peer including the peer's end entity certificate. It must be called 30e71b7053SJung-uk Kimafter a session has been successfully established. If peer verification was 31e71b7053SJung-uk Kimnot successful (as indicated by SSL_get_verify_result() not returning 32e71b7053SJung-uk KimX509_V_OK) the chain may be incomplete or invalid. 33e71b7053SJung-uk Kim 34e71b7053SJung-uk Kim=head1 NOTES 35e71b7053SJung-uk Kim 36e71b7053SJung-uk KimIf the session is resumed peers do not send certificates so a NULL pointer 37e71b7053SJung-uk Kimis returned by these functions. Applications can call SSL_session_reused() 38e71b7053SJung-uk Kimto determine whether a session is resumed. 39e71b7053SJung-uk Kim 40e71b7053SJung-uk KimThe reference count of each certificate in the returned STACK_OF(X509) object 41e71b7053SJung-uk Kimis not incremented and the returned stack may be invalidated by renegotiation. 42e71b7053SJung-uk KimIf applications wish to use any certificates in the returned chain 43e71b7053SJung-uk Kimindefinitely they must increase the reference counts using X509_up_ref() or 44e71b7053SJung-uk Kimobtain a copy of the whole chain with X509_chain_up_ref(). 45e71b7053SJung-uk Kim 46e71b7053SJung-uk Kim=head1 RETURN VALUES 47e71b7053SJung-uk Kim 48e71b7053SJung-uk KimThe following return values can occur: 49e71b7053SJung-uk Kim 50e71b7053SJung-uk Kim=over 4 51e71b7053SJung-uk Kim 52e71b7053SJung-uk Kim=item NULL 53e71b7053SJung-uk Kim 54e71b7053SJung-uk KimNo certificate was presented by the peer or no connection was established 55e71b7053SJung-uk Kimor the certificate chain is no longer available when a session is reused. 56e71b7053SJung-uk Kim 57e71b7053SJung-uk Kim=item Pointer to a STACK_OF(X509) 58e71b7053SJung-uk Kim 59e71b7053SJung-uk KimThe return value points to the certificate chain presented by the peer. 60e71b7053SJung-uk Kim 61e71b7053SJung-uk Kim=back 62e71b7053SJung-uk Kim 63e71b7053SJung-uk Kim=head1 SEE ALSO 64e71b7053SJung-uk Kim 65e71b7053SJung-uk KimL<ssl(7)>, L<SSL_get_peer_certificate(3)>, L<X509_up_ref(3)>, 66e71b7053SJung-uk KimL<X509_chain_up_ref(3)> 67e71b7053SJung-uk Kim 68e71b7053SJung-uk Kim=head1 COPYRIGHT 69e71b7053SJung-uk Kim 70e71b7053SJung-uk KimCopyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. 71e71b7053SJung-uk Kim 72*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 73e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 74e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 75e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 76e71b7053SJung-uk Kim 77e71b7053SJung-uk Kim=cut 78