mirror of
https://github.com/openssl/openssl.git
synced 2024-12-09 05:51:54 +08:00
6725682d77
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12153)
83 lines
2.6 KiB
Plaintext
83 lines
2.6 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
X509_verify, X509_self_signed,
|
|
X509_REQ_verify_with_libctx, X509_REQ_verify,
|
|
X509_CRL_verify -
|
|
verify certificate, certificate request, or CRL signature
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
#include <openssl/x509.h>
|
|
|
|
int X509_verify(X509 *x, EVP_PKEY *pkey);
|
|
int X509_self_signed(X509 *cert, int verify_signature);
|
|
|
|
int X509_REQ_verify_with_libctx(X509_REQ *a, EVP_PKEY *pkey,
|
|
OPENSSL_CTX *libctx, const char *propq);
|
|
int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
|
|
int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
X509_verify() verifies the signature of certificate I<x> using public key
|
|
I<pkey>. Only the signature is checked: no other checks (such as certificate
|
|
chain validity) are performed.
|
|
|
|
X509_self_signed() checks whether a certificate is self-signed.
|
|
For success the issuer and subject names must match, the components of the
|
|
authority key identifier (if present) must match the subject key identifier etc.
|
|
The signature itself is actually verified only if B<verify_signature> is 1, as
|
|
for explicitly trusted certificates this verification is not worth the effort.
|
|
|
|
X509_REQ_verify_with_libctx(), X509_REQ_verify() and X509_CRL_verify()
|
|
verify the signatures of certificate requests and CRLs, respectively.
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
X509_verify(),
|
|
X509_REQ_verify_with_libctx(), X509_REQ_verify() and X509_CRL_verify()
|
|
return 1 if the signature is valid and 0 if the signature check fails.
|
|
If the signature could not be checked at all because it was ill-formed
|
|
or some other error occurred then -1 is returned.
|
|
|
|
X509_self_signed() returns the same values but also returns 1
|
|
if all respective fields match and B<verify_signature> is 0.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<d2i_X509(3)>,
|
|
L<ERR_get_error(3)>,
|
|
L<X509_CRL_get0_by_serial(3)>,
|
|
L<X509_get0_signature(3)>,
|
|
L<X509_get_ext_d2i(3)>,
|
|
L<X509_get_extension_flags(3)>,
|
|
L<X509_get_pubkey(3)>,
|
|
L<X509_get_subject_name(3)>,
|
|
L<X509_get_version(3)>,
|
|
L<X509_NAME_ENTRY_get_object(3)>,
|
|
L<X509_NAME_get_index_by_NID(3)>,
|
|
L<X509_NAME_print_ex(3)>,
|
|
L<X509V3_get_d2i(3)>,
|
|
L<X509_verify_cert(3)>,
|
|
L<OPENSSL_CTX(3)>
|
|
|
|
=head1 HISTORY
|
|
|
|
The X509_verify(), X509_REQ_verify(), and X509_CRL_verify()
|
|
functions are available in all versions of OpenSSL.
|
|
|
|
X509_REQ_verify_with_libctx(), and X509_self_signed() were added in OpenSSL 3.0.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|