| OLD | NEW |
|---|
| (Empty) | |
| 1 =pod |
| 2 |
| 3 =head1 NAME |
| 4 |
| 5 X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_ge
t_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY
_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_
VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509 verification pa
rameters |
| 6 |
| 7 =head1 SYNOPSIS |
| 8 |
| 9 #include <openssl/x509_vfy.h> |
| 10 |
| 11 int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); |
| 12 int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, |
| 13 unsigned long flags); |
| 14 unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); |
| 15 |
| 16 int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); |
| 17 int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); |
| 18 |
| 19 void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); |
| 20 |
| 21 int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, |
| 22 ASN1_OBJECT *policy); |
| 23 int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, |
| 24 STACK_OF(ASN1_OBJECT) *policies); |
| 25 |
| 26 void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); |
| 27 int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); |
| 28 |
| 29 =head1 DESCRIPTION |
| 30 |
| 31 These functions manipulate the B<X509_VERIFY_PARAM> structure associated with |
| 32 a certificate verification operation. |
| 33 |
| 34 The X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring |
| 35 it with B<flags>. See the B<VERIFICATION FLAGS> section for a complete |
| 36 description of values the B<flags> parameter can take. |
| 37 |
| 38 X509_VERIFY_PARAM_get_flags() returns the flags in B<param>. |
| 39 |
| 40 X509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>. |
| 41 |
| 42 X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param> |
| 43 to B<purpose>. This determines the acceptable purpose of the certificate |
| 44 chain, for example SSL client or SSL server. |
| 45 |
| 46 X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to |
| 47 B<trust>. |
| 48 |
| 49 X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to |
| 50 B<t>. Normally the current time is used. |
| 51 |
| 52 X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled |
| 53 by default) and adds B<policy> to the acceptable policy set. |
| 54 |
| 55 X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled |
| 56 by default) and sets the acceptable policy set to B<policies>. Any existing |
| 57 policy set is cleared. The B<policies> parameter can be B<NULL> to clear |
| 58 an existing policy set. |
| 59 |
| 60 X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B<depth>. |
| 61 That is the maximum number of untrusted CA certificates that can appear in a |
| 62 chain. |
| 63 |
| 64 =head1 RETURN VALUES |
| 65 |
| 66 X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), |
| 67 X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(), |
| 68 X509_VERIFY_PARAM_add0_policy() and X509_VERIFY_PARAM_set1_policies() return 1 |
| 69 for success and 0 for failure. |
| 70 |
| 71 X509_VERIFY_PARAM_get_flags() returns the current verification flags. |
| 72 |
| 73 X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return |
| 74 values. |
| 75 |
| 76 X509_VERIFY_PARAM_get_depth() returns the current verification depth. |
| 77 |
| 78 =head1 VERIFICATION FLAGS |
| 79 |
| 80 The verification flags consists of zero or more of the following flags |
| 81 ored together. |
| 82 |
| 83 B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf |
| 84 certificate. An error occurs if a suitable CRL cannot be found. |
| 85 |
| 86 B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate |
| 87 chain. |
| 88 |
| 89 B<X509_V_FLAG_IGNORE_CRITICAL> disabled critical extension checking. By default |
| 90 any unhandled critical extensions in certificates or (if checked) CRLs results |
| 91 in a fatal error. If this flag is set unhandled critical extensions are |
| 92 ignored. B<WARNING> setting this option for anything other than debugging |
| 93 purposes can be a security risk. Finer control over which extensions are |
| 94 supported can be performed in the verification callback. |
| 95 |
| 96 THe B<X509_V_FLAG_X509_STRICT> flag disables workarounds for some broken |
| 97 certificates and makes the verification strictly apply B<X509> rules. |
| 98 |
| 99 B<X509_V_FLAG_ALLOW_PROXY_CERTS> enables proxy certificate verification. |
| 100 |
| 101 B<X509_V_FLAG_POLICY_CHECK> enables certificate policy checking, by default |
| 102 no policy checking is peformed. Additional information is sent to the |
| 103 verification callback relating to policy checking. |
| 104 |
| 105 B<X509_V_FLAG_EXPLICIT_POLICY>, B<X509_V_FLAG_INHIBIT_ANY> and |
| 106 B<X509_V_FLAG_INHIBIT_MAP> set the B<require explicit policy>, B<inhibit any |
| 107 policy> and B<inhibit policy mapping> flags respectively as defined in |
| 108 B<RFC3280>. Policy checking is automatically enabled if any of these flags |
| 109 are set. |
| 110 |
| 111 If B<X509_V_FLAG_NOTIFY_POLICY> is set and the policy checking is successful |
| 112 a special status code is set to the verification callback. This permits it |
| 113 to examine the valid policy tree and perform additional checks or simply |
| 114 log it for debugging purposes. |
| 115 |
| 116 By default some addtional features such as indirect CRLs and CRLs signed by |
| 117 different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set |
| 118 they are enabled. |
| 119 |
| 120 If B<X509_V_FLAG_USE_DELTAS> ise set delta CRLs (if present) are used to |
| 121 determine certificate status. If not set deltas are ignored. |
| 122 |
| 123 B<X509_V_FLAG_CHECK_SS_SIGNATURE> enables checking of the root CA self signed |
| 124 cerificate signature. By default this check is disabled because it doesn't |
| 125 add any additional security but in some cases applications might want to |
| 126 check the signature anyway. A side effect of not checking the root CA |
| 127 signature is that disabled or unsupported message digests on the root CA |
| 128 are not treated as fatal errors. |
| 129 |
| 130 The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate |
| 131 issuer checks. It is B<not> needed unless you are logging certificate |
| 132 verification. If this flag is set then additional status codes will be sent |
| 133 to the verification callback and it B<must> be prepared to handle such cases |
| 134 without assuming they are hard errors. |
| 135 |
| 136 =head1 NOTES |
| 137 |
| 138 The above functions should be used to manipulate verification parameters |
| 139 instead of legacy functions which work in specific structures such as |
| 140 X509_STORE_CTX_set_flags(). |
| 141 |
| 142 =head1 BUGS |
| 143 |
| 144 Delta CRL checking is currently primitive. Only a single delta can be used and |
| 145 (partly due to limitations of B<X509_STORE>) constructed CRLs are not |
| 146 maintained. |
| 147 |
| 148 If CRLs checking is enable CRLs are expected to be available in the |
| 149 corresponding B<X509_STORE> structure. No attempt is made to download |
| 150 CRLs from the CRL distribution points extension. |
| 151 |
| 152 =head1 EXAMPLE |
| 153 |
| 154 Enable CRL checking when performing certificate verification during SSL |
| 155 connections associated with an B<SSL_CTX> structure B<ctx>: |
| 156 |
| 157 X509_VERIFY_PARAM *param; |
| 158 param = X509_VERIFY_PARAM_new(); |
| 159 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); |
| 160 SSL_CTX_set1_param(ctx, param); |
| 161 X509_VERIFY_PARAM_free(param); |
| 162 |
| 163 =head1 SEE ALSO |
| 164 |
| 165 L<X509_verify_cert(3)|X509_verify_cert(3)> |
| 166 |
| 167 =head1 HISTORY |
| 168 |
| 169 TBA |
| 170 |
| 171 =cut |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9254031:
Upgrade chrome's OpenSSL to same version Android ships with. (Closed)
Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/