-.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.3 2022/11/16 14:55:40 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.4 2023/03/16 15:21:44 job Exp $
.\"
.\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: November 16 2022 $
+.Dd $Mdocdate: March 16 2023 $
.Dt X509_STORE_CTX_SET_VERIFY 3
.Os
.Sh NAME
.Nm X509_STORE_CTX_get_verify ,
.Nm X509_STORE_set_verify ,
.Nm X509_STORE_set_verify_func ,
-.Nm X509_STORE_get_verify
+.Nm X509_STORE_get_verify ,
+.Nm X509_STORE_set_check_issued ,
+.Nm X509_STORE_get_check_issued ,
+.Nm X509_STORE_CTX_get_check_issued
.Nd user-defined certificate chain verification function
.Sh SYNOPSIS
.In openssl/x509_vfy.h
.Fo X509_STORE_get_verify
.Fa "X509_STORE_CTX *ctx"
.Fc
+.Ft typedef int
+.Fo "(*X509_STORE_CTX_check_issued_fn)
+.Fa "X509_STORE_CTX *ctx"
+.Fa "X509 *subject"
+.Fa "X509 *issuer"
+.Fc
+.Ft void
+.Fo X509_STORE_set_check_issued
+.Fa "X509_STORE *store"
+.Fa "X509_STORE_CTX_check_issued_fn check_issued"
+.Fc
+.Ft X509_STORE_CTX_check_issued_fn
+.Fo X509_STORE_get_check_issued
+.Fa "X509_STORE *store"
+.Fc
+.Ft X509_STORE_CTX_check_issued_fn
+.Fo X509_STORE_CTX_get_check_issued
+.Fa "X509_STORE_CTX *ctx"
+.Fc
.Sh DESCRIPTION
.Fn X509_STORE_CTX_set_verify
configures
is an alias for
.Fn X509_STORE_set_verify
implemented as a macro.
+.Pp
+.Fn X509_STORE_set_check_issued
+saves the function pointer
+.Fa check_issued
+in the given
+.Fa store
+object.
+That pointer will be copied to an
+.Vt X509_STORE_CTX
+object when
+.Fa store
+is later passed as an argument to
+.Fn X509_STORE_CTX_init 3 .
+.Pp
+The
+.Fa check_issued
+function provided by the user should check whether a given certificate
+.Fa subject
+was issued using the CA certificate
+.Fa issuer ,
+and must return 0 on failure and 1 on success.
.Sh RETURN VALUES
.Fn X509_STORE_CTX_verify_fn
is supposed to return 1 to indicate that the chain is valid
.Dv NULL
if that function was not called on the
.Fa store .
+.Pp
+.Fn X509_STORE_get_check_issued
+returns the function pointer previously set with
+.Fn X509_STORE_set_check_issued ,
+or
+.Dv NULL
+if that function was not called on the
+.Fa store .
+.Pp
+.Fn X509_STORE_CTX_get_check_issued
+returns the
+.Fn check_issued
+function set on the
+.Vt X509_STORE_CTX .
+This is either the
+.Fn check_issued
+function inherited from the
+.Fa store
+used in
+.Xr X509_STORE_CTX_init 3
+or the library's default implementation.
.Sh SEE ALSO
.Xr X509_STORE_CTX_init 3 ,
.Xr X509_STORE_CTX_set_error 3 ,
.Xr X509_STORE_set_verify_cb 3 ,
.Xr X509_verify_cert 3 ,
.Xr X509_VERIFY_PARAM_set_flags 3
+.Xr X509_check_issued 3
.Sh HISTORY
.Fn X509_STORE_set_verify_func
first appeared in SSLeay 0.8.0 and has been available since
.Fn X509_STORE_get_verify
first appeared in OpenSSL 1.1.0 and have been available since
.Ox 7.2 .
+.Pp
+.Fn X509_STORE_set_check_issued ,
+.Fn X509_STORE_get_check_issued ,
+and
+.Fn X509_STORE_CTX_get_check_issued
+first appeared in OpenSSL 1.1.0 and have been available since
+.Ox 7.3 .
projects / openbsd / commitdiff