1*b077aed3SPierre Pronchery=pod 2*b077aed3SPierre Pronchery 3*b077aed3SPierre Pronchery=head1 NAME 4*b077aed3SPierre Pronchery 5*b077aed3SPierre ProncheryX509_verify, X509_self_signed, 6*b077aed3SPierre ProncheryX509_REQ_verify_ex, X509_REQ_verify, 7*b077aed3SPierre ProncheryX509_CRL_verify - 8*b077aed3SPierre Proncheryverify certificate, certificate request, or CRL signature 9*b077aed3SPierre Pronchery 10*b077aed3SPierre Pronchery=head1 SYNOPSIS 11*b077aed3SPierre Pronchery 12*b077aed3SPierre Pronchery #include <openssl/x509.h> 13*b077aed3SPierre Pronchery 14*b077aed3SPierre Pronchery int X509_verify(X509 *x, EVP_PKEY *pkey); 15*b077aed3SPierre Pronchery int X509_self_signed(X509 *cert, int verify_signature); 16*b077aed3SPierre Pronchery 17*b077aed3SPierre Pronchery int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx, 18*b077aed3SPierre Pronchery const char *propq); 19*b077aed3SPierre Pronchery int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r); 20*b077aed3SPierre Pronchery int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r); 21*b077aed3SPierre Pronchery 22*b077aed3SPierre Pronchery=head1 DESCRIPTION 23*b077aed3SPierre Pronchery 24*b077aed3SPierre ProncheryX509_verify() verifies the signature of certificate I<x> using public key 25*b077aed3SPierre ProncheryI<pkey>. Only the signature is checked: no other checks (such as certificate 26*b077aed3SPierre Proncherychain validity) are performed. 27*b077aed3SPierre Pronchery 28*b077aed3SPierre ProncheryX509_self_signed() checks whether certificate I<cert> is self-signed. 29*b077aed3SPierre ProncheryFor success the issuer and subject names must match, the components of the 30*b077aed3SPierre Proncheryauthority key identifier (if present) must match the subject key identifier etc. 31*b077aed3SPierre ProncheryThe signature itself is actually verified only if B<verify_signature> is 1, as 32*b077aed3SPierre Proncheryfor explicitly trusted certificates this verification is not worth the effort. 33*b077aed3SPierre Pronchery 34*b077aed3SPierre ProncheryX509_REQ_verify_ex(), X509_REQ_verify() and X509_CRL_verify() 35*b077aed3SPierre Proncheryverify the signatures of certificate requests and CRLs, respectively. 36*b077aed3SPierre Pronchery 37*b077aed3SPierre Pronchery=head1 RETURN VALUES 38*b077aed3SPierre Pronchery 39*b077aed3SPierre ProncheryX509_verify(), 40*b077aed3SPierre ProncheryX509_REQ_verify_ex(), X509_REQ_verify() and X509_CRL_verify() 41*b077aed3SPierre Proncheryreturn 1 if the signature is valid and 0 if the signature check fails. 42*b077aed3SPierre ProncheryIf the signature could not be checked at all because it was ill-formed, 43*b077aed3SPierre Proncherythe certificate or the request was not complete or some other error occurred 44*b077aed3SPierre Proncherythen -1 is returned. 45*b077aed3SPierre Pronchery 46*b077aed3SPierre ProncheryX509_self_signed() returns the same values but also returns 1 47*b077aed3SPierre Proncheryif all respective fields match and B<verify_signature> is 0. 48*b077aed3SPierre Pronchery 49*b077aed3SPierre Pronchery=head1 SEE ALSO 50*b077aed3SPierre Pronchery 51*b077aed3SPierre ProncheryL<d2i_X509(3)>, 52*b077aed3SPierre ProncheryL<ERR_get_error(3)>, 53*b077aed3SPierre ProncheryL<X509_CRL_get0_by_serial(3)>, 54*b077aed3SPierre ProncheryL<X509_get0_signature(3)>, 55*b077aed3SPierre ProncheryL<X509_get_ext_d2i(3)>, 56*b077aed3SPierre ProncheryL<X509_get_extension_flags(3)>, 57*b077aed3SPierre ProncheryL<X509_get_pubkey(3)>, 58*b077aed3SPierre ProncheryL<X509_get_subject_name(3)>, 59*b077aed3SPierre ProncheryL<X509_get_version(3)>, 60*b077aed3SPierre ProncheryL<X509_NAME_ENTRY_get_object(3)>, 61*b077aed3SPierre ProncheryL<X509_NAME_get_index_by_NID(3)>, 62*b077aed3SPierre ProncheryL<X509_NAME_print_ex(3)>, 63*b077aed3SPierre ProncheryL<X509V3_get_d2i(3)>, 64*b077aed3SPierre ProncheryL<X509_verify_cert(3)>, 65*b077aed3SPierre ProncheryL<OSSL_LIB_CTX(3)> 66*b077aed3SPierre Pronchery 67*b077aed3SPierre Pronchery=head1 HISTORY 68*b077aed3SPierre Pronchery 69*b077aed3SPierre ProncheryThe X509_verify(), X509_REQ_verify(), and X509_CRL_verify() 70*b077aed3SPierre Proncheryfunctions are available in all versions of OpenSSL. 71*b077aed3SPierre Pronchery 72*b077aed3SPierre ProncheryX509_REQ_verify_ex(), and X509_self_signed() were added in OpenSSL 3.0. 73*b077aed3SPierre Pronchery 74*b077aed3SPierre Pronchery=head1 COPYRIGHT 75*b077aed3SPierre Pronchery 76*b077aed3SPierre ProncheryCopyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. 77*b077aed3SPierre Pronchery 78*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 79*b077aed3SPierre Proncherythis file except in compliance with the License. You can obtain a copy 80*b077aed3SPierre Proncheryin the file LICENSE in the source distribution or at 81*b077aed3SPierre ProncheryL<https://www.openssl.org/source/license.html>. 82*b077aed3SPierre Pronchery 83*b077aed3SPierre Pronchery=cut 84