mirror of
https://github.com/openssl/openssl.git
synced 2025-01-18 13:44:20 +08:00
6725682d77
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12153)
240 lines
9.7 KiB
Plaintext
240 lines
9.7 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
X509_LOOKUP, X509_LOOKUP_TYPE,
|
|
X509_LOOKUP_new, X509_LOOKUP_free, X509_LOOKUP_init,
|
|
X509_LOOKUP_shutdown,
|
|
X509_LOOKUP_set_method_data, X509_LOOKUP_get_method_data,
|
|
X509_LOOKUP_ctrl_with_libctx, X509_LOOKUP_ctrl,
|
|
X509_LOOKUP_load_file_with_libctx, X509_LOOKUP_load_file,
|
|
X509_LOOKUP_add_dir,
|
|
X509_LOOKUP_add_store_with_libctx, X509_LOOKUP_add_store,
|
|
X509_LOOKUP_load_store_with_libctx, X509_LOOKUP_load_store,
|
|
X509_LOOKUP_get_store,
|
|
X509_LOOKUP_by_subject_with_libctx, X509_LOOKUP_by_subject,
|
|
X509_LOOKUP_by_issuer_serial, X509_LOOKUP_by_fingerprint,
|
|
X509_LOOKUP_by_alias
|
|
- OpenSSL certificate lookup mechanisms
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
#include <openssl/x509_vfy.h>
|
|
|
|
typedef x509_lookup_st X509_LOOKUP;
|
|
|
|
typedef enum X509_LOOKUP_TYPE;
|
|
|
|
X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method);
|
|
int X509_LOOKUP_init(X509_LOOKUP *ctx);
|
|
int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
|
|
void X509_LOOKUP_free(X509_LOOKUP *ctx);
|
|
|
|
int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data);
|
|
void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx);
|
|
|
|
int X509_LOOKUP_ctrl_with_libctx(X509_LOOKUP *ctx, int cmd, const char *argc,
|
|
long argl, char **ret, OPENSSL_CTX *libctx,
|
|
const char *propq);
|
|
int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
|
|
long argl, char **ret);
|
|
int X509_LOOKUP_load_file_with_libctx(X509_LOOKUP *ctx, char *name, long type,
|
|
OPENSSL_CTX *libctx, const char *propq);
|
|
int X509_LOOKUP_load_file(X509_LOOKUP *ctx, char *name, long type);
|
|
int X509_LOOKUP_load_file_with_libctx(X509_LOOKUP *ctx, char *name, long type,
|
|
OPENSSL_CTX *libctx, const char *propq);
|
|
int X509_LOOKUP_add_dir(X509_LOOKUP *ctx, char *name, long type);
|
|
int X509_LOOKUP_add_store_with_libctx(X509_LOOKUP *ctx, char *uri,
|
|
OPENSSL_CTX *libctx, const char *propq);
|
|
int X509_LOOKUP_add_store(X509_LOOKUP *ctx, char *uri);
|
|
int X509_LOOKUP_load_store_with_libctx(X509_LOOKUP *ctx, char *uri,
|
|
OPENSSL_CTX *libctx, const char *propq);
|
|
int X509_LOOKUP_load_store(X509_LOOKUP *ctx, char *uri);
|
|
|
|
X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx);
|
|
|
|
int X509_LOOKUP_by_subject_with_libctx(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
|
|
const X509_NAME *name, X509_OBJECT *ret,
|
|
OPENSSL_CTX *libctx, const char *propq);
|
|
int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
|
|
const X509_NAME *name, X509_OBJECT *ret);
|
|
int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
|
|
const X509_NAME *name,
|
|
const ASN1_INTEGER *serial, X509_OBJECT *ret);
|
|
int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
|
|
const unsigned char *bytes, int len,
|
|
X509_OBJECT *ret);
|
|
int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
|
|
const char *str, int len, X509_OBJECT *ret);
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
The B<X509_LOOKUP> structure holds the information needed to look up
|
|
certificates and CRLs according to an associated L<X509_LOOKUP_METHOD(3)>.
|
|
Multiple B<X509_LOOKUP> instances can be added to an L<X509_STORE(3)>
|
|
to enable lookup in that store.
|
|
|
|
X509_LOOKUP_new() creates a new B<X509_LOOKUP> using the given lookup
|
|
I<method>.
|
|
It can also be created by calling L<X509_STORE_add_lookup(3)>, which
|
|
will associate a B<X509_STORE> with the lookup mechanism.
|
|
|
|
X509_LOOKUP_init() initializes the internal state and resources as
|
|
needed by the given B<X509_LOOKUP> to do its work.
|
|
|
|
X509_LOOKUP_shutdown() tears down the internal state and resources of
|
|
the given B<X509_LOOKUP>.
|
|
|
|
X509_LOOKUP_free() destructs the given B<X509_LOOKUP>.
|
|
|
|
X509_LOOKUP_set_method_data() and X509_LOOKUP_get_method_data()
|
|
associates and retrieves a pointer to application data to and from the
|
|
given B<X509_LOOKUP>, respectively.
|
|
|
|
X509_LOOKUP_ctrl_with_libctx() is used to set or get additional data to or from
|
|
a B<X509_LOOKUP> structure or its associated L<X509_LOOKUP_METHOD(3)>.
|
|
The arguments of the control command are passed via I<argc> and I<argl>,
|
|
its return value via I<*ret>. The library context I<libctx> and property
|
|
query <propq> are used when fetching algorithms from providers.
|
|
The meaning of the arguments depends on the I<cmd> number of the
|
|
control command. In general, this function is not called directly, but
|
|
wrapped by a macro call, see below.
|
|
The control I<cmd>s known to OpenSSL are discussed in more depth
|
|
in L</Control Commands>.
|
|
|
|
X509_LOOKUP_ctrl() is similar to X509_LOOKUP_ctrl_with_libctx() but
|
|
uses NULL for the library context I<libctx> and property query <propq>.
|
|
|
|
X509_LOOKUP_load_file_with_libctx() passes a filename to be loaded immediately
|
|
into the associated B<X509_STORE>. The library context I<libctx> and property
|
|
query <propq> are used when fetching algorithms from providers.
|
|
I<type> indicates what type of object is expected.
|
|
This can only be used with a lookup using the implementation
|
|
L<X509_LOOKUP_file(3)>.
|
|
|
|
X509_LOOKUP_load_file() is similar to X509_LOOKUP_load_file_with_libctx() but
|
|
uses NULL for the library context I<libctx> and property query <propq>.
|
|
|
|
X509_LOOKUP_add_dir() passes a directory specification from which
|
|
certificates and CRLs are loaded on demand into the associated
|
|
B<X509_STORE>.
|
|
I<type> indicates what type of object is expected.
|
|
This can only be used with a lookup using the implementation
|
|
L<X509_LOOKUP_hash_dir(3)>.
|
|
|
|
X509_LOOKUP_add_store_with_libctx() passes a URI for a directory-like structure
|
|
from which containers with certificates and CRLs are loaded on demand
|
|
into the associated B<X509_STORE>. The library context I<libctx> and property
|
|
query <propq> are used when fetching algorithms from providers.
|
|
|
|
X509_LOOKUP_add_store() is similar to X509_LOOKUP_add_store_with_libctx() but
|
|
uses NULL for the library context I<libctx> and property query <propq>.
|
|
|
|
X509_LOOKUP_load_store_with_libctx() passes a URI for a single container from
|
|
which certificates and CRLs are immediately loaded into the associated
|
|
B<X509_STORE>. The library context I<libctx> and property query <propq> are used
|
|
when fetching algorithms from providers.
|
|
These functions can only be used with a lookup using the
|
|
implementation L<X509_LOOKUP_store(3)>.
|
|
|
|
X509_LOOKUP_load_store() is similar to X509_LOOKUP_load_store_with_libctx() but
|
|
uses NULL for the library context I<libctx> and property query <propq>.
|
|
|
|
X509_LOOKUP_load_file_with_libctx(), X509_LOOKUP_load_file(),
|
|
X509_LOOKUP_add_dir(),
|
|
X509_LOOKUP_add_store_with_libctx() X509_LOOKUP_add_store(),
|
|
X509_LOOKUP_load_store_with_libctx() and X509_LOOKUP_load_store() are
|
|
implemented as macros that use X509_LOOKUP_ctrl().
|
|
|
|
X509_LOOKUP_by_subject_with_libctx(), X509_LOOKUP_by_subject(),
|
|
X509_LOOKUP_by_issuer_serial(), X509_LOOKUP_by_fingerprint(), and
|
|
X509_LOOKUP_by_alias() look up certificates and CRLs in the L<X509_STORE(3)>
|
|
associated with the B<X509_LOOKUP> using different criteria, where the looked up
|
|
object is stored in I<ret>.
|
|
Some of the underlying B<X509_LOOKUP_METHOD>s will also cache objects
|
|
matching the criteria in the associated B<X509_STORE>, which makes it
|
|
possible to handle cases where the criteria have more than one hit.
|
|
|
|
=head2 Control Commands
|
|
|
|
The B<X509_LOOKUP_METHOD>s built into OpenSSL recognize the following
|
|
X509_LOOKUP_ctrl() I<cmd>s:
|
|
|
|
=over 4
|
|
|
|
=item B<X509_L_FILE_LOAD>
|
|
|
|
This is the command that X509_LOOKUP_load_file_with_libctx() and
|
|
X509_LOOKUP_load_file() use.
|
|
The filename is passed in I<argc>, and the type in I<argl>.
|
|
|
|
=item B<X509_L_ADD_DIR>
|
|
|
|
This is the command that X509_LOOKUP_add_dir() uses.
|
|
The directory specification is passed in I<argc>, and the type in
|
|
I<argl>.
|
|
|
|
=item B<X509_L_ADD_STORE>
|
|
|
|
This is the command that X509_LOOKUP_add_store_with_libctx() and
|
|
X509_LOOKUP_add_store() use.
|
|
The URI is passed in I<argc>.
|
|
|
|
=item B<X509_L_LOAD_STORE>
|
|
|
|
This is the command that X509_LOOKUP_load_store_with_libctx() and
|
|
X509_LOOKUP_load_store() use.
|
|
The URI is passed in I<argc>.
|
|
|
|
=back
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
X509_LOOKUP_new() returns a B<X509_LOOKUP> pointer when successful,
|
|
or NULL on error.
|
|
|
|
X509_LOOKUP_init() and X509_LOOKUP_shutdown() return 1 on success, or
|
|
0 on error.
|
|
|
|
X509_LOOKUP_ctrl() returns -1 if the B<X509_LOOKUP> doesn't have an
|
|
associated B<X509_LOOKUP_METHOD>, or 1 if the X<509_LOOKUP_METHOD>
|
|
doesn't have a control function.
|
|
Otherwise, it returns what the control function in the
|
|
B<X509_LOOKUP_METHOD> returns, which is usually 1 on success and 0 in
|
|
error.
|
|
|
|
X509_LOOKUP_get_store() returns a B<X509_STORE> pointer if there is
|
|
one, otherwise NULL.
|
|
|
|
X509_LOOKUP_by_subject_with_libctx(), X509_LOOKUP_by_subject(),
|
|
X509_LOOKUP_by_issuer_serial(), X509_LOOKUP_by_fingerprint(), and
|
|
X509_LOOKUP_by_alias() all return 0 if there is no B<X509_LOOKUP_METHOD> or that
|
|
method doesn't implement the corresponding function.
|
|
Otherwise, it returns what the corresponding function in the
|
|
B<X509_LOOKUP_METHOD> returns, which is usually 1 on success and 0 in
|
|
error.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<X509_LOOKUP_METHOD(3)>, L<X509_STORE(3)>
|
|
|
|
=head1 HISTORY
|
|
|
|
The functions X509_LOOKUP_by_subject_with_libctx() and
|
|
X509_LOOKUP_ctrl_with_libctx() were added in OpenSSL 3.0.
|
|
|
|
The macros X509_LOOKUP_load_file_with_libctx(),
|
|
X509_LOOKUP_load_store_with_libctx() and 509_LOOKUP_add_store_with_libctx() were
|
|
added in OpenSSL 3.0.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|