1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5*b077aed3SPierre ProncheryX509_build_chain, 6*b077aed3SPierre ProncheryX509_verify_cert, 7*b077aed3SPierre ProncheryX509_STORE_CTX_verify - build and verify X509 certificate chain 8e71b7053SJung-uk Kim 9e71b7053SJung-uk Kim=head1 SYNOPSIS 10e71b7053SJung-uk Kim 11*b077aed3SPierre Pronchery #include <openssl/x509_vfy.h> 12e71b7053SJung-uk Kim 13*b077aed3SPierre Pronchery STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs, 14*b077aed3SPierre Pronchery X509_STORE *store, int with_self_signed, 15*b077aed3SPierre Pronchery OSSL_LIB_CTX *libctx, const char *propq); 16e71b7053SJung-uk Kim int X509_verify_cert(X509_STORE_CTX *ctx); 17*b077aed3SPierre Pronchery int X509_STORE_CTX_verify(X509_STORE_CTX *ctx); 18e71b7053SJung-uk Kim 19e71b7053SJung-uk Kim=head1 DESCRIPTION 20e71b7053SJung-uk Kim 21*b077aed3SPierre ProncheryX509_build_chain() builds a certificate chain starting from I<target> 22*b077aed3SPierre Proncheryusing the optional list of intermediate CA certificates I<certs>. 23*b077aed3SPierre ProncheryIf I<store> is NULL it builds the chain as far down as possible, ignoring errors. 24*b077aed3SPierre ProncheryElse the chain must reach a trust anchor contained in I<store>. 25*b077aed3SPierre ProncheryIt internally uses a B<X509_STORE_CTX> structure associated with the library 26*b077aed3SPierre Proncherycontext I<libctx> and property query string I<propq>, both of which may be NULL. 27*b077aed3SPierre ProncheryIn case there is more than one possibility for the chain, only one is taken. 28*b077aed3SPierre Pronchery 29*b077aed3SPierre ProncheryOn success it returns a pointer to a new stack of (up_ref'ed) certificates 30*b077aed3SPierre Proncherystarting with I<target> and followed by all available intermediate certificates. 31*b077aed3SPierre ProncheryA self-signed trust anchor is included only if I<target> is the trust anchor 32*b077aed3SPierre Proncheryof I<with_self_signed> is 1. 33*b077aed3SPierre ProncheryIf a non-NULL stack is returned the caller is responsible for freeing it. 34*b077aed3SPierre Pronchery 35e71b7053SJung-uk KimThe X509_verify_cert() function attempts to discover and validate a 36*b077aed3SPierre Proncherycertificate chain based on parameters in I<ctx>. 37*b077aed3SPierre ProncheryThe verification context, of type B<X509_STORE_CTX>, can be constructed 38*b077aed3SPierre Proncheryusing L<X509_STORE_CTX_new(3)> and L<X509_STORE_CTX_init(3)>. 39*b077aed3SPierre ProncheryIt usually includes a target certificate to be verified, 40*b077aed3SPierre Proncherya set of certificates serving as trust anchors, 41*b077aed3SPierre Proncherya list of non-trusted certificates that may be helpful for chain construction, 42*b077aed3SPierre Proncheryflags such as X509_V_FLAG_X509_STRICT, and various other optional components 43*b077aed3SPierre Proncherysuch as a callback function that allows customizing the verification outcome. 44*b077aed3SPierre ProncheryA complete description of the certificate verification process is contained in 45*b077aed3SPierre Proncherythe L<openssl-verification-options(1)> manual page. 46e71b7053SJung-uk Kim 47e71b7053SJung-uk KimApplications rarely call this function directly but it is used by 48e71b7053SJung-uk KimOpenSSL internally for certificate validation, in both the S/MIME and 49e71b7053SJung-uk KimSSL/TLS code. 50e71b7053SJung-uk Kim 51e71b7053SJung-uk KimA negative return value from X509_verify_cert() can occur if it is invoked 52*b077aed3SPierre Proncheryincorrectly, such as with no certificate set in I<ctx>, or when it is called 53*b077aed3SPierre Proncherytwice in succession without reinitialising I<ctx> for the second call. 54*b077aed3SPierre ProncheryA negative return value can also happen due to internal resource problems 55*b077aed3SPierre Proncheryor because an internal inconsistency has been detected. 56*b077aed3SPierre ProncheryApplications must interpret any return value <= 0 as an error. 57e71b7053SJung-uk Kim 58*b077aed3SPierre ProncheryThe X509_STORE_CTX_verify() behaves like X509_verify_cert() except that its 59*b077aed3SPierre Proncherytarget certificate is the first element of the list of untrusted certificates 60*b077aed3SPierre Proncheryin I<ctx> unless a target certificate is set explicitly. 61e71b7053SJung-uk Kim 62*b077aed3SPierre Pronchery=head1 RETURN VALUES 63*b077aed3SPierre Pronchery 64*b077aed3SPierre ProncheryX509_build_chain() returns NULL on error, else a stack of certificates. 65*b077aed3SPierre Pronchery 66*b077aed3SPierre ProncheryBoth X509_verify_cert() and X509_STORE_CTX_verify() 67*b077aed3SPierre Proncheryreturn 1 if a complete chain can be built and validated, 68*b077aed3SPierre Proncheryotherwise they return 0, and in exceptional circumstances (such as malloc 69*b077aed3SPierre Proncheryfailure and internal errors) they can also return a negative code. 70*b077aed3SPierre Pronchery 71*b077aed3SPierre ProncheryIf a complete chain can be built and validated both functions return 1. 72*b077aed3SPierre ProncheryIf the certificate must be rejected on the basis of the data available 73*b077aed3SPierre Proncheryor any required certificate status data is not available they return 0. 74*b077aed3SPierre ProncheryIf no definite answer possible they usually return a negative code. 75*b077aed3SPierre Pronchery 76*b077aed3SPierre ProncheryOn error or failure additional error information can be obtained by 77*b077aed3SPierre Proncheryexamining I<ctx> using, for example, L<X509_STORE_CTX_get_error(3)>. Even if 78*b077aed3SPierre Proncheryverification indicated success, the stored error code may be different from 79*b077aed3SPierre ProncheryX509_V_OK, likely because a verification callback function has waived the error. 80e71b7053SJung-uk Kim 81e71b7053SJung-uk Kim=head1 SEE ALSO 82e71b7053SJung-uk Kim 83*b077aed3SPierre ProncheryL<X509_STORE_CTX_new(3)>, L<X509_STORE_CTX_init(3)>, 84e71b7053SJung-uk KimL<X509_STORE_CTX_get_error(3)> 85e71b7053SJung-uk Kim 86*b077aed3SPierre Pronchery=head1 HISTORY 87*b077aed3SPierre Pronchery 88*b077aed3SPierre ProncheryX509_build_chain() and X509_STORE_CTX_verify() were added in OpenSSL 3.0. 89*b077aed3SPierre Pronchery 90e71b7053SJung-uk Kim=head1 COPYRIGHT 91e71b7053SJung-uk Kim 92*b077aed3SPierre ProncheryCopyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. 93e71b7053SJung-uk Kim 94*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 95e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 96e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 97e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 98e71b7053SJung-uk Kim 99e71b7053SJung-uk Kim=cut 100