| 1 | =pod
|
|---|
| 2 |
|
|---|
| 3 | =head1 NAME
|
|---|
| 4 |
|
|---|
| 5 | X509_STORE,
|
|---|
| 6 | X509_STORE_add_cert, X509_STORE_add_crl, X509_STORE_set_depth,
|
|---|
| 7 | X509_STORE_set_flags, X509_STORE_set_purpose, X509_STORE_set_trust,
|
|---|
| 8 | X509_STORE_add_lookup,
|
|---|
| 9 | X509_STORE_load_file_ex, X509_STORE_load_file, X509_STORE_load_path,
|
|---|
| 10 | X509_STORE_load_store_ex, X509_STORE_load_store,
|
|---|
| 11 | X509_STORE_set_default_paths_ex, X509_STORE_set_default_paths,
|
|---|
| 12 | X509_STORE_load_locations_ex, X509_STORE_load_locations
|
|---|
| 13 | - X509_STORE manipulation
|
|---|
| 14 |
|
|---|
| 15 | =head1 SYNOPSIS
|
|---|
| 16 |
|
|---|
| 17 | #include <openssl/x509_vfy.h>
|
|---|
| 18 |
|
|---|
| 19 | typedef x509_store_st X509_STORE;
|
|---|
| 20 |
|
|---|
| 21 | int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
|
|---|
| 22 | int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
|
|---|
| 23 | int X509_STORE_set_depth(X509_STORE *store, int depth);
|
|---|
| 24 | int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
|
|---|
| 25 | int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
|
|---|
| 26 | int X509_STORE_set_trust(X509_STORE *ctx, int trust);
|
|---|
| 27 |
|
|---|
| 28 | X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *store,
|
|---|
| 29 | X509_LOOKUP_METHOD *meth);
|
|---|
| 30 |
|
|---|
| 31 | int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
|
|---|
| 32 | const char *propq);
|
|---|
| 33 | int X509_STORE_set_default_paths(X509_STORE *ctx);
|
|---|
| 34 | int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
|
|---|
| 35 | OSSL_LIB_CTX *libctx, const char *propq);
|
|---|
| 36 | int X509_STORE_load_file(X509_STORE *ctx, const char *file);
|
|---|
| 37 | int X509_STORE_load_path(X509_STORE *ctx, const char *dir);
|
|---|
| 38 | int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
|
|---|
| 39 | OSSL_LIB_CTX *libctx, const char *propq);
|
|---|
| 40 | int X509_STORE_load_store(X509_STORE *ctx, const char *uri);
|
|---|
| 41 | int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
|
|---|
| 42 | const char *dir, OSSL_LIB_CTX *libctx,
|
|---|
| 43 | const char *propq);
|
|---|
| 44 | int X509_STORE_load_locations(X509_STORE *ctx,
|
|---|
| 45 | const char *file, const char *dir);
|
|---|
| 46 |
|
|---|
| 47 | =head1 DESCRIPTION
|
|---|
| 48 |
|
|---|
| 49 | The B<X509_STORE> structure is intended to be a consolidated mechanism for
|
|---|
| 50 | holding information about X.509 certificates and CRLs, and constructing
|
|---|
| 51 | and validating chains of certificates terminating in trusted roots.
|
|---|
| 52 | It admits multiple lookup mechanisms and efficient scaling performance
|
|---|
| 53 | with large numbers of certificates, and a great deal of flexibility in
|
|---|
| 54 | how validation and policy checks are performed.
|
|---|
| 55 |
|
|---|
| 56 | Details of the chain building and checking process are described in
|
|---|
| 57 | L<openssl-verification-options(1)/Certification Path Building> and
|
|---|
| 58 | L<openssl-verification-options(1)/Certification Path Validation>.
|
|---|
| 59 |
|
|---|
| 60 | L<X509_STORE_new(3)> creates an empty B<X509_STORE> structure, which contains
|
|---|
| 61 | no information about trusted certificates or where such certificates
|
|---|
| 62 | are located on disk, and is generally not usable. Normally, trusted
|
|---|
| 63 | certificates will be added to the B<X509_STORE> to prepare it for use,
|
|---|
| 64 | via mechanisms such as X509_STORE_add_lookup() and X509_LOOKUP_file(), or
|
|---|
| 65 | PEM_read_bio_X509_AUX() and X509_STORE_add_cert(). CRLs can also be added,
|
|---|
| 66 | and many behaviors configured as desired.
|
|---|
| 67 |
|
|---|
| 68 | Once the B<X509_STORE> is suitably configured, X509_STORE_CTX_new() is
|
|---|
| 69 | used to instantiate a single-use B<X509_STORE_CTX> for each chain-building
|
|---|
| 70 | and verification operation. That process includes providing the end-entity
|
|---|
| 71 | certificate to be verified and an additional set of untrusted certificates
|
|---|
| 72 | that may be used in chain-building. As such, it is expected that the
|
|---|
| 73 | certificates included in the B<X509_STORE> are certificates that represent
|
|---|
| 74 | trusted entities such as root certificate authorities (CAs).
|
|---|
| 75 | OpenSSL represents these trusted certificates internally as B<X509> objects
|
|---|
| 76 | with an associated B<X509_CERT_AUX>, as are produced by
|
|---|
| 77 | PEM_read_bio_X509_AUX() and similar routines that refer to X509_AUX.
|
|---|
| 78 | The public interfaces that operate on such trusted certificates still
|
|---|
| 79 | operate on pointers to B<X509> objects, though.
|
|---|
| 80 |
|
|---|
| 81 | X509_STORE_add_cert() and X509_STORE_add_crl() add the respective object
|
|---|
| 82 | to the B<X509_STORE>'s local storage. Untrusted objects should not be
|
|---|
| 83 | added in this way. The added object's reference count is incremented by one,
|
|---|
| 84 | hence the caller retains ownership of the object and needs to free it when it
|
|---|
| 85 | is no longer needed.
|
|---|
| 86 |
|
|---|
| 87 | X509_STORE_set_depth(), X509_STORE_set_flags(), X509_STORE_set_purpose(),
|
|---|
| 88 | X509_STORE_set_trust(), and X509_STORE_set1_param() set the default values
|
|---|
| 89 | for the corresponding values used in certificate chain validation. Their
|
|---|
| 90 | behavior is documented in the corresponding B<X509_VERIFY_PARAM> manual
|
|---|
| 91 | pages, e.g., L<X509_VERIFY_PARAM_set_depth(3)>.
|
|---|
| 92 |
|
|---|
| 93 | X509_STORE_add_lookup() finds or creates a L<X509_LOOKUP(3)> with the
|
|---|
| 94 | L<X509_LOOKUP_METHOD(3)> I<meth> and adds it to the B<X509_STORE>
|
|---|
| 95 | I<store>. This also associates the B<X509_STORE> with the lookup, so
|
|---|
| 96 | B<X509_LOOKUP> functions can look up objects in that store.
|
|---|
| 97 |
|
|---|
| 98 | X509_STORE_load_file_ex() loads trusted certificate(s) into an
|
|---|
| 99 | B<X509_STORE> from a given file. The library context I<libctx> and property
|
|---|
| 100 | query I<propq> are used when fetching algorithms from providers.
|
|---|
| 101 |
|
|---|
| 102 | X509_STORE_load_file() is similar to X509_STORE_load_file_ex() but
|
|---|
| 103 | uses NULL for the library context I<libctx> and property query I<propq>.
|
|---|
| 104 |
|
|---|
| 105 | X509_STORE_load_path() loads trusted certificate(s) into an
|
|---|
| 106 | B<X509_STORE> from a given directory path.
|
|---|
| 107 | The certificates in the directory must be in hashed form, as
|
|---|
| 108 | documented in L<X509_LOOKUP_hash_dir(3)>.
|
|---|
| 109 |
|
|---|
| 110 | X509_STORE_load_store_ex() loads trusted certificate(s) into an
|
|---|
| 111 | B<X509_STORE> from a store at a given URI. The library context I<libctx> and
|
|---|
| 112 | property query I<propq> are used when fetching algorithms from providers.
|
|---|
| 113 |
|
|---|
| 114 | X509_STORE_load_store() is similar to X509_STORE_load_store_ex() but
|
|---|
| 115 | uses NULL for the library context I<libctx> and property query I<propq>.
|
|---|
| 116 |
|
|---|
| 117 | X509_STORE_load_locations_ex() combines
|
|---|
| 118 | X509_STORE_load_file_ex() and X509_STORE_load_dir() for a given file
|
|---|
| 119 | and/or directory path.
|
|---|
| 120 | It is permitted to specify just a file, just a directory, or both
|
|---|
| 121 | paths.
|
|---|
| 122 |
|
|---|
| 123 | X509_STORE_load_locations() is similar to X509_STORE_load_locations_ex()
|
|---|
| 124 | but uses NULL for the library context I<libctx> and property query I<propq>.
|
|---|
| 125 |
|
|---|
| 126 | X509_STORE_set_default_paths_ex() is somewhat misnamed, in that it does
|
|---|
| 127 | not set what default paths should be used for loading certificates. Instead,
|
|---|
| 128 | it loads certificates into the B<X509_STORE> from the hardcoded default
|
|---|
| 129 | paths. The library context I<libctx> and property query I<propq> are used when
|
|---|
| 130 | fetching algorithms from providers.
|
|---|
| 131 |
|
|---|
| 132 | X509_STORE_set_default_paths() is similar to
|
|---|
| 133 | X509_STORE_set_default_paths_ex() but uses NULL for the library
|
|---|
| 134 | context I<libctx> and property query I<propq>.
|
|---|
| 135 |
|
|---|
| 136 | =head1 RETURN VALUES
|
|---|
| 137 |
|
|---|
| 138 | X509_STORE_add_cert(), X509_STORE_add_crl(), X509_STORE_set_depth(),
|
|---|
| 139 | X509_STORE_set_flags(), X509_STORE_set_purpose(), X509_STORE_set_trust(),
|
|---|
| 140 | X509_STORE_load_file_ex(), X509_STORE_load_file(),
|
|---|
| 141 | X509_STORE_load_path(),
|
|---|
| 142 | X509_STORE_load_store_ex(), X509_STORE_load_store(),
|
|---|
| 143 | X509_STORE_load_locations_ex(), X509_STORE_load_locations(),
|
|---|
| 144 | X509_STORE_set_default_paths_ex() and X509_STORE_set_default_paths()
|
|---|
| 145 | return 1 on success or 0 on failure.
|
|---|
| 146 |
|
|---|
| 147 | X509_STORE_add_lookup() returns the found or created
|
|---|
| 148 | L<X509_LOOKUP(3)>, or NULL on error.
|
|---|
| 149 |
|
|---|
| 150 | =head1 SEE ALSO
|
|---|
| 151 |
|
|---|
| 152 | L<X509_LOOKUP_hash_dir(3)>.
|
|---|
| 153 | L<X509_VERIFY_PARAM_set_depth(3)>.
|
|---|
| 154 | L<X509_STORE_new(3)>,
|
|---|
| 155 | L<X509_STORE_get0_param(3)>
|
|---|
| 156 |
|
|---|
| 157 | =head1 HISTORY
|
|---|
| 158 |
|
|---|
| 159 | The functions X509_STORE_set_default_paths_ex(),
|
|---|
| 160 | X509_STORE_load_file_ex(), X509_STORE_load_store_ex() and
|
|---|
| 161 | X509_STORE_load_locations_ex() were added in OpenSSL 3.0.
|
|---|
| 162 |
|
|---|
| 163 | =head1 COPYRIGHT
|
|---|
| 164 |
|
|---|
| 165 | Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 166 |
|
|---|
| 167 | Licensed under the Apache License 2.0 (the "License"). You may not use
|
|---|
| 168 | this file except in compliance with the License. You can obtain a copy
|
|---|
| 169 | in the file LICENSE in the source distribution or at
|
|---|
| 170 | L<https://www.openssl.org/source/license.html>.
|
|---|
| 171 |
|
|---|
| 172 | =cut
|
|---|
