Update files for OpenSSL-1.0.0f import.
[dragonfly.git] / secure / lib / libcrypto / man / X509_VERIFY_PARAM_set_flags.3
CommitLineData
e3261593 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
01185282
PA
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sp \" Vertical space (when we can't use .PP)
6.if t .sp .5v
7.if n .sp
8..
9.de Vb \" Begin verbatim text
10.ft CW
11.nf
12.ne \\$1
13..
14.de Ve \" End verbatim text
15.ft R
16.fi
17..
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
26.ie n \{\
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
35'br\}
36.el\{\
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
41'br\}
42.\"
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
47.\" If the F register is turned on, we'll generate index entries on stderr for
48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
51.ie \nF \{\
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
54..
55. nr % 0
56. rr F
57.\}
58.el \{\
59. de IX
60..
61.\}
62.\"
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
66.if n \{\
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
72.\}
73.if t \{\
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
79.\}
80. \" simple accents for nroff and troff
81.if n \{\
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
88.\}
89.if t \{\
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
96.\}
97. \" troff and (daisy-wheel) nroff accents
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
107. \" corrections for vroff
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
110. \" for low resolution devices (crt and lpr)
111.if \n(.H>23 .if \n(.V>19 \
112\{\
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
122.\}
123.rm #[ #] #H #V #F C
124.\" ========================================================================
125.\"
126.IX Title "X509_VERIFY_PARAM_set_flags 3"
e3261593 127.TH X509_VERIFY_PARAM_set_flags 3 "2012-01-04" "1.0.0f" "OpenSSL"
01185282
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
132.SH "NAME"
133X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies \- X509 verification parameters
134.SH "SYNOPSIS"
135.IX Header "SYNOPSIS"
136.Vb 1
137\& #include <openssl/x509_vfy.h>
138\&
139\& int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
140\& int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
141\& unsigned long flags);
142\& unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
143\&
144\& int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
145\& int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
146\&
147\& void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
148\&
149\& int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
150\& ASN1_OBJECT *policy);
151\& int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
152\& STACK_OF(ASN1_OBJECT) *policies);
153\&
154\& void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
155\& int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
156.Ve
157.SH "DESCRIPTION"
158.IX Header "DESCRIPTION"
159These functions manipulate the \fBX509_VERIFY_PARAM\fR structure associated with
160a certificate verification operation.
161.PP
162The \fIX509_VERIFY_PARAM_set_flags()\fR function sets the flags in \fBparam\fR by oring
163it with \fBflags\fR. See the \fB\s-1VERIFICATION\s0 \s-1FLAGS\s0\fR section for a complete
164description of values the \fBflags\fR parameter can take.
165.PP
166\&\fIX509_VERIFY_PARAM_get_flags()\fR returns the flags in \fBparam\fR.
167.PP
168\&\fIX509_VERIFY_PARAM_clear_flags()\fR clears the flags \fBflags\fR in \fBparam\fR.
169.PP
170\&\fIX509_VERIFY_PARAM_set_purpose()\fR sets the verification purpose in \fBparam\fR
171to \fBpurpose\fR. This determines the acceptable purpose of the certificate
172chain, for example \s-1SSL\s0 client or \s-1SSL\s0 server.
173.PP
174\&\fIX509_VERIFY_PARAM_set_trust()\fR sets the trust setting in \fBparam\fR to
175\&\fBtrust\fR.
176.PP
177\&\fIX509_VERIFY_PARAM_set_time()\fR sets the verification time in \fBparam\fR to
178\&\fBt\fR. Normally the current time is used.
179.PP
180\&\fIX509_VERIFY_PARAM_add0_policy()\fR enables policy checking (it is disabled
181by default) and adds \fBpolicy\fR to the acceptable policy set.
182.PP
183\&\fIX509_VERIFY_PARAM_set1_policies()\fR enables policy checking (it is disabled
184by default) and sets the acceptable policy set to \fBpolicies\fR. Any existing
185policy set is cleared. The \fBpolicies\fR parameter can be \fB\s-1NULL\s0\fR to clear
186an existing policy set.
187.PP
188\&\fIX509_VERIFY_PARAM_set_depth()\fR sets the maximum verification depth to \fBdepth\fR.
189That is the maximum number of untrusted \s-1CA\s0 certificates that can appear in a
190chain.
191.SH "RETURN VALUES"
192.IX Header "RETURN VALUES"
193\&\fIX509_VERIFY_PARAM_set_flags()\fR, \fIX509_VERIFY_PARAM_clear_flags()\fR,
194\&\fIX509_VERIFY_PARAM_set_purpose()\fR, \fIX509_VERIFY_PARAM_set_trust()\fR,
195\&\fIX509_VERIFY_PARAM_add0_policy()\fR and \fIX509_VERIFY_PARAM_set1_policies()\fR return 1
196for success and 0 for failure.
197.PP
198\&\fIX509_VERIFY_PARAM_get_flags()\fR returns the current verification flags.
199.PP
200\&\fIX509_VERIFY_PARAM_set_time()\fR and \fIX509_VERIFY_PARAM_set_depth()\fR do not return
201values.
202.PP
203\&\fIX509_VERIFY_PARAM_get_depth()\fR returns the current verification depth.
204.SH "VERIFICATION FLAGS"
205.IX Header "VERIFICATION FLAGS"
206The verification flags consists of zero or more of the following flags
207ored together.
208.PP
209\&\fBX509_V_FLAG_CRL_CHECK\fR enables \s-1CRL\s0 checking for the certificate chain leaf
210certificate. An error occurs if a suitable \s-1CRL\s0 cannot be found.
211.PP
212\&\fBX509_V_FLAG_CRL_CHECK_ALL\fR enables \s-1CRL\s0 checking for the entire certificate
213chain.
214.PP
215\&\fBX509_V_FLAG_IGNORE_CRITICAL\fR disabled critical extension checking. By default
216any unhandled critical extensions in certificates or (if checked) CRLs results
217in a fatal error. If this flag is set unhandled critical extensions are
218ignored. \fB\s-1WARNING\s0\fR setting this option for anything other than debugging
219purposes can be a security risk. Finer control over which extensions are
220supported can be performed in the verification callback.
221.PP
222THe \fBX509_V_FLAG_X509_STRICT\fR flag disables workarounds for some broken
223certificates and makes the verification strictly apply \fBX509\fR rules.
224.PP
225\&\fBX509_V_FLAG_ALLOW_PROXY_CERTS\fR enables proxy certificate verification.
226.PP
227\&\fBX509_V_FLAG_POLICY_CHECK\fR enables certificate policy checking, by default
228no policy checking is peformed. Additional information is sent to the
229verification callback relating to policy checking.
230.PP
231\&\fBX509_V_FLAG_EXPLICIT_POLICY\fR, \fBX509_V_FLAG_INHIBIT_ANY\fR and
232\&\fBX509_V_FLAG_INHIBIT_MAP\fR set the \fBrequire explicit policy\fR, \fBinhibit any
233policy\fR and \fBinhibit policy mapping\fR flags respectively as defined in
234\&\fB\s-1RFC3280\s0\fR. Policy checking is automatically enabled if any of these flags
235are set.
236.PP
237If \fBX509_V_FLAG_NOTIFY_POLICY\fR is set and the policy checking is successful
238a special status code is set to the verification callback. This permits it
239to examine the valid policy tree and perform additional checks or simply
240log it for debugging purposes.
241.PP
242By default some addtional features such as indirect CRLs and CRLs signed by
243different keys are disabled. If \fBX509_V_FLAG_EXTENDED_CRL_SUPPORT\fR is set
244they are enabled.
245.PP
246If \fBX509_V_FLAG_USE_DELTAS\fR ise set delta CRLs (if present) are used to
247determine certificate status. If not set deltas are ignored.
248.PP
249\&\fBX509_V_FLAG_CHECK_SS_SIGNATURE\fR enables checking of the root \s-1CA\s0 self signed
250cerificate signature. By default this check is disabled because it doesn't
251add any additional security but in some cases applications might want to
252check the signature anyway. A side effect of not checking the root \s-1CA\s0
253signature is that disabled or unsupported message digests on the root \s-1CA\s0
254are not treated as fatal errors.
255.PP
256The \fBX509_V_FLAG_CB_ISSUER_CHECK\fR flag enables debugging of certificate
257issuer checks. It is \fBnot\fR needed unless you are logging certificate
258verification. If this flag is set then additional status codes will be sent
259to the verification callback and it \fBmust\fR be prepared to handle such cases
260without assuming they are hard errors.
261.SH "NOTES"
262.IX Header "NOTES"
263The above functions should be used to manipulate verification parameters
264instead of legacy functions which work in specific structures such as
265\&\fIX509_STORE_CTX_set_flags()\fR.
266.SH "BUGS"
267.IX Header "BUGS"
268Delta \s-1CRL\s0 checking is currently primitive. Only a single delta can be used and
269(partly due to limitations of \fBX509_STORE\fR) constructed CRLs are not
270maintained.
271.PP
272If CRLs checking is enable CRLs are expected to be available in the
273corresponding \fBX509_STORE\fR structure. No attempt is made to download
274CRLs from the \s-1CRL\s0 distribution points extension.
275.SH "EXAMPLE"
276.IX Header "EXAMPLE"
277Enable \s-1CRL\s0 checking when performing certificate verification during \s-1SSL\s0
278connections associated with an \fB\s-1SSL_CTX\s0\fR structure \fBctx\fR:
279.PP
280.Vb 5
281\& X509_VERIFY_PARAM *param;
282\& param = X509_VERIFY_PARAM_new();
283\& X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
284\& SSL_CTX_set1_param(ctx, param);
285\& X509_VERIFY_PARAM_free(param);
286.Ve
287.SH "SEE ALSO"
288.IX Header "SEE ALSO"
289\&\fIX509_verify_cert\fR\|(3)
290.SH "HISTORY"
291.IX Header "HISTORY"
292\&\s-1TBA\s0