X509_STORE *X509_STORE_new();
void X509_STORE_free(v)
X509_STORE *v;
X509_LOOKUP *X509_STORE_add_lookup(v, m)
X509_STORE *v;
X509_LOOKUP_METHOD *m;
int X509_STORE_set_default_paths(ctx)
X509_STORE *ctx;
int X509_STORE_load_locations(ctx, file, dir)
X509_STORE *ctx;
char *file;
char *dir;
int X509_STORE_add_cert(ctx, x)
X509_STORE *ctx;
X509 *x;
int X509_STORE_add_crl(ctx, x)
X509_STORE *ctx;
X509_CRL *x;
int X509_STORE_get_by_subject(vs, type, name, ret)
X509_STORE_CTX *vs;
int type;
X509_NAME *name;
X509_OBJECT *ret;
void X509_STORE_CTX_init(ctx, store, x509, chain)
X509_STORE_CTX *ctx;
X509_STORE *store;
X509 *x509;
STACK *chain;
void X509_STORE_CTX_cleanup(ctx)
X509_STORE_CTX *ctx;
void X509_STORE_CTX_set_error(ctx, s)
X509_STORE_CTX *ctx;
int s;
int X509_STORE_CTX_get_error(ctx)
X509_STORE_CTX *ctx;
int X509_STORE_CTX_get_error_depth(ctx)
X509_STORE_CTX *ctx;
void X509_STORE_CTX_set_cert(c, x)
X509_STORE_CTX *c;
X509 *x;
X509 *X509_STORE_CTX_get_current_cert(ctx)
X509_STORE_CTX *ctx;
void X509_STORE_CTX_set_chain(c, sk)
X509_STORE_CTX *c;
STACK /* X509 */ *sk;
STACK *X509_STORE_CTX_get_chain(ctx)
X509_STORE_CTX *ctx;
int X509_STORE_CTX_get_ex_new_index(argl, argp, new_func, dup_func, free_func)
long argl;
char *argp;
int (*new_func)();
int (*dup_func)();
,
void (*free_func)();
int X509_STORE_CTX_set_ex_data(ctx, idx, data)
X509_STORE_CTX *ctx;
int idx;
char *data;
char *X509_STORE_CTX_get_ex_data(ctx, idx)
X509_STORE_CTX *ctx;
int idx;
macro X509_STORE_CTX_get_app_data
These functions all operate on an X509_STORE,
typedef struct x509_store_st
{
/* The following is a cache of trusted certs */
int cache; /* if true, stash any hits */
#ifdef HEADER_LHASH_H
LHASH *certs; /* cached certs; */
#else
char *certs;
#endif
/* These are external lookup methods */
STACK *get_cert_methods;/* X509_LOOKUP */
int (*verify)(); /* called to verify a certificate */
int (*verify_cb)(); /* error callback */
CRYPTO_EX_DATA ex_data;
int references;
int depth; /* how deep to look */
} X509_STORE;
or X509_STORE_CTX,
typedef struct x509_store_state_st
{
X509_STORE *ctx;
int current_method; /* used when looking up certs */
/* The following are set by the caller */
X509 *cert; /* The cert to check */
STACK *untrusted; /* chain of X509s - untrusted - passed in */
/* The following is built up */
int depth; /* how far to go looking up certs */
int valid; /* if 0, rebuild chain */
int last_untrusted; /* index of last untrusted cert */
STACK *chain; /* chain of X509s - built up and trusted */
/* When something goes wrong, this is why */
int error_depth;
int error;
X509 *current_cert;
CRYPTO_EX_DATA ex_data;
} X509_STORE_CTX;
X509_STORE_new crfeates a new X509_STORE structure and returns a pointer to it; NULL is returned on error.
X509_STORE_free frees v, which includes calling X509_LOOKUP_shutdown and X509_LOOKUP_free on every X509_LOOKUP in the stack v->get_cert_methods.
X509_STORE_add_lookup adds the X509_LOOKUP_METHOD m to the stack v->get_cert_methods after creating an X509_LOOKUP that contains it as a subfield. It returns a pointer to the new X509_LOOKUP structure or NULL on error.
X509_STORE_set_default_paths calls X509_STORE_add_lookup to add X509_LOOKUP_file() and X509_LOOKUP_hash_dir() to the lookup methods used by ctx. X509_LOOKUP_file() allows you to look up a cert in a specific file; X509_LOOKUP_hash_dir allows you to look up a cert in a directory which has a pile of certificates, each named by hashing the subject name and converting the first four bytes to ascii; then a number is tacked on to the end to indicate whether it is the first, second, third... with the same starting name. For example, "c605ac92.0".
It also adds one directory to the list which will be searched; unless you change this, it is X509_CERT_DIR (defined in cryptlib.h as "/usr/local/ssl/certs").
It returns 1 on success or 0 on error.
X509_STORE_load_locations calls X509_STORE_add_lookup to add X509_LOOKUP_file() and X509_LOOKUP_hash_dir() to the lookup methods used by ctx. See the previous function for a description of what these lookup methods do. It then reads in the file which is expected to contain a certificate or crl in PEM format, and adds the certificate or crl to ctx as a trusted certificate, for use during verification. It also adds dir to the list of directories that will be searched for trusted certificates. The function returns 1 on success or 0 on error.
X509_STORE_add_cert adds the certificate x to the list of trusted certificates in ctx that will be used for verification.
X509_STORE_add_crl adds the crl x to the list of crls in ctx that will be used for verification.
X509_STORE_get_by_subject first looks in the list in ctx for the certificate or crl with the subject name, and if it doesn't find it there, goes through its list of lookup methods and for each one calls X509_LOOKUP_by_subject which in turn invokes ctx->method->get_by_subject to try to get the certificate or crl from somewhere else. If it is found it is copied into the list in ctx (if you use the predefined methods available with this library).
type indicates whether you are looking for a certificate or a crl; it must be one of X509_LU_X509 or X509_LU_CRL.
If the certificate or crl is found by some means, then it is placed into ret (which *must* not be NULL) with an indicator of the type of object returned. This function returns 1 on a match and 0 on error or if no match was found.
Note that there is neither a new nor a free function for X509_STORE_CTX. Oh well.
X509_STORE_CTX_init sets all fields of ctxto 0 or NULL or makes them empty, and then adds in x509 as the certificate to be verified, chain as the certificate chain to be verified (this can be NULL), and store as the X509_STORE of trusted certificates and lookup methods for retrieving them.
X509_STORE_CTX_cleanup frees any temporary data in ctx allocated during verification.
just sets the error subfield of ctx to err, which should be one of those defined in x509_vfy.h:
X509_V_OK X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT X509_V_ERR_UNABLE_TO_GET_CRL X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY X509_V_ERR_CERT_SIGNATURE_FAILURE X509_V_ERR_CRL_SIGNATURE_FAILURE X509_V_ERR_CERT_NOT_YET_VALID X509_V_ERR_CERT_HAS_EXPIRED X509_V_ERR_CRL_NOT_YET_VALID X509_V_ERR_CRL_HAS_EXPIRED X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD X509_V_ERR_OUT_OF_MEM X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE X509_V_ERR_CERT_CHAIN_TOO_LONG X509_V_ERR_CERT_REVOKED X509_V_ERR_APPLICATION_VERIFICATION
X509_STORE_CTX_get_error returns ctx->error.
X509_STORE_CTX_get_error_depth returns ctx->error_depth. If you want to set this field you have to do it directly. :( It indicates where in the chain a verification error occurred.
X509_STORE_CTX_set_cert ets the certificate to be verified to x in c.
X509_STORE_CTX_get_current_cert returns the cerficate for which there is an error (this may be NULL).
X509_STORE_CTX_set_chain sets the chain of certificates that are to be verified, in c. The argument sk should be a STACK of pointers to X509 structures.
X509_STORE_CTX_get_chain returns ctx->chain, which, after verification, is the full chain of certificates including those we were able to dig out of our trusted certs list, up to maximum depth or a self-signed certificate (or a certificate for which we have no issuer).